23542300x8000000000000000295356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:38.966{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84DB77C775D0BC81DF9E52447A41071,SHA256=9A6A930BE9F7BA4183723AA23EACC0A87062B78DABE3ED92933D4EBE1463D071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258638Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:38.156{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB14861DB3530D731C1691A247C91CC,SHA256=6F012284DD2806C4181C9C778184C29ABAC79FCC2A79E8005152F9BD26A2996C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:39.982{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D0861AF0C876E279D58361200023BB,SHA256=FE7E363D19CCE819FE827B7B5E1E67B2007F9F53F48DB5C86B035D6D7E7B314A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258640Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:39.187{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09688938AA186CF8C5FE54E1E49A583C,SHA256=FCE99DAE8DF72C12263902047AB9BD4C78A41FE3B5FF1C2B3258689093D69AB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258639Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:35.647{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50803-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000258641Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:40.234{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539871F7FBA1284EEF717B3BF0CE48B9,SHA256=094DD22E795522EBDF357A5B1B111F0BF4A249E5E199B5246070403138E7E6D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258642Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:41.265{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3103E809B3B6D914B39DA033FE4713,SHA256=A3EE2F485CE3F5F18CCEA4A39C45DCEEAF97F65EE7EFF3276CC3C4F993E0235B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:39.364{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59119-false10.0.1.12-8000- 23542300x8000000000000000295358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:41.029{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478AC04982573192E8BA809CEA5E80CE,SHA256=89C04D43C0CD0E6440AF3D7BBE5D57F8BBD78E32B38693DCA13ED897433A13A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258643Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:42.328{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3783C1AED0A1C490A620E2E2F7EE74EA,SHA256=15AE6FFF7418487DFC2B992BDBB2607011A836A91BED8F3C5CC961D4665F8FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:42.045{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D2DD87EBE23BF0310C855B05A2EA53,SHA256=393D0EDFE6A0A8CF512F66B4CC1C49227611E1DFE3DDAC0E9110A4DEE230140B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:43.058{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4078E63184E04965E00A6798A431F4,SHA256=42E49FB0BA833404FB7F962CEA494D6C2496B37DFA04453FAF0E8AB804A029BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258645Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:43.342{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82246BF6D623037B9B77D17177FA4E49,SHA256=E1E320ABC4D29F93E7D472803E1137B2BA89DE9A425F61B2C13C0193DE852A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258644Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:40.694{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50804-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258646Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:44.358{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB83ADD53E6DC7EF0C507DE85DE9D699,SHA256=63C903E6B81AB608E141E7E3D79B88A18F4AAE70875E6839B65CB9205DAF8A5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:41.934{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-62350-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000295362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:44.073{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C35B334C2BE1C36FC37528F0E9FB2EA,SHA256=A5EA8C14B96F68D72CB658602E0315AF243F55BED400B6DF92FC802CF845DC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258647Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:45.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1620D50EDDB95E85A4115473739E32,SHA256=2BA4742A496ED1C7D4152003E580F111EE37EABB65E7A5FFF35151AFB84853F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:45.089{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89601408B34621F9C94ADEF948FFFC84,SHA256=765724D9B1B1475D4825419DAD889971CD604D89C89892D495D75D334724FF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258648Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6139AAC871DAA2929A7618FF2E91C3A2,SHA256=DADFF77BFC150E522A2F276E9766E289E24E1FB91B8A2F53F2FCE99ACD5DCCF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:46.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD4718BB057B5E6A053944C7BD0925C,SHA256=357FEEB367532BA435C9C46C47EAC243F2793F566375D170DF4CD2B1A99665AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:45.408{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59120-false10.0.1.12-8000- 13241300x8000000000000000295376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000295375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0504178a) 13241300x8000000000000000295374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0x4349b921) 13241300x8000000000000000295373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebe-0xa50e2121) 13241300x8000000000000000295372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0x06d28921) 13241300x8000000000000000295371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000295370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0504178a) 13241300x8000000000000000295369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0x4349b921) 13241300x8000000000000000295368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebe-0xa50e2121) 13241300x8000000000000000295367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0x06d28921) 23542300x8000000000000000295366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:47.151{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2992656C48C3A21A9F31FD0073F67AF4,SHA256=7157D041C684171520A757B5112A9EA16ABD1C8706837886C8F432759E600AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258649Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:47.436{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF54453820563869087734F09F0A55A,SHA256=290E156D141DD84BA72D14533CDAFDD38A552585FC9907CEFF3ACF387ECDC2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258652Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:48.452{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7925D7F7BC449B888F68430F58746F,SHA256=787237A595B02B2043E7239A51A906E46D32656AEC7C308DC6143D6D2467BF34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:46.712{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50806-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:48.151{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F529B9E1AEB64BC6527E51DB14045A82,SHA256=FF2101D0E5B9BAB0FBF4A1B0822E2B8C40386AC3DEC8FC0853439226BFB63EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258651Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:48.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F779EDB1AA14EC5E2FA1F6FC5FC2792,SHA256=797AC3DED90B47483332CC16B69447B4F9DA4C789FCE34534481AC5BA9DFA101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258650Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:48.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16322EF181B5362DDA14C402DECBB021,SHA256=BB2AF6910BE68AB299BCE9355BF3E100A3844413EC9B75E5A1CD153114072BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258656Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:49.467{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316025230F06715B474E292F1D9141C7,SHA256=1579FEF2823BA12E9B84B687BA1D784135304995859716A43BA4C6F802236C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:49.167{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023B3D3BC3DE841EE2B17F5D337A4315,SHA256=92A8714C1E6D148CA338D6868486DFE8763F3B51B1DD1CFF53335EF068B1A758,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258655Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.857{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50806-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000258654Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.709{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50805-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000258653Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.679{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com54159-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258657Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:50.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07461BCB7FE870315490B0CAEFB1BE30,SHA256=A3DDAA326A698957947682782F1CF00BFAC33D9995829B003607A5AC7B8425A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:50.198{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0102AD9FC5A233F43216E7FAA6A4CC36,SHA256=09B7F975D422ED802BAAF13383E2299C186795471AA5CF96761B5B79A15246DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258658Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:51.577{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5922E5C5E6756B673CE57EC488F487,SHA256=EE060F60177318C74EFF7ACB15052C9D95E7FA2E2E14FADBDCBE822B38CDA3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:51.198{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2F2C9C5A1E1C6AF6C45399E7D47F04,SHA256=0E4C3628E6C0DCFCC64DC36BC7674CC3748D66307ADF81424D8342E8FFD6372B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258659Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:52.592{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1F8164F627AE33F3898DDEEE48C47B,SHA256=658627F42DF5CD2E8D62A0ED9B3D7498A19E032A1786917047035C4A4996505F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.698{5097E253-90F8-6149-722B-00000000FB01}81523032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.527{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.214{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1232AB2197A5CC76757B42CABB56D7,SHA256=2F15D00DC8460A403D9F7CA5610BEEA351FB23EF79B016A81421E24CD5F62C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258660Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:53.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DECED0FF351FE4593A74FD693421185,SHA256=6B070E76B3877CCCE01E574BC9FC7E0451A080E2FE1B7B2C4532581F361C720A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.871{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.230{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401F3D96A2D57548E0E0E232F8612572,SHA256=785CCA4E724377B7711A9645F2880CD79D6DD2C35FA1D6A9471D1D30A1888AFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.199{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258662Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:54.639{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0217F9031191CF2EFF1A765FEE06700D,SHA256=2246484B7BF94614E63EBA4A206D900419B51B44FD00ACB0D66C5E6B3336AAC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.526{5097E253-90FA-6149-752B-00000000FB01}73967220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.387{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1650716F4D17FA04772198A072AB68,SHA256=475981F4B04BE049775C7DF4E96305F94020571E74333B8CC0918B376CCC37D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258661Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:52.631{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50807-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000295411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:51.424{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59121-false10.0.1.12-8000- 10341000x8000000000000000295410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.011{5097E253-90F9-6149-742B-00000000FB01}15523528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000258663Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:55.655{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7477CA82FCAA6FE1D0744D197A206AB8,SHA256=5AADC7E75B6639932B81DFB657C86816FBFD3495021C69F9FD61408AE1D00AF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBEE8474A1D2128D74B48AB005C9BE5,SHA256=4333A80C8CE4EA89FA76AAF1F0512B48B92D6419BAC61156A68C717C25EF09FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.183{5097E253-90FB-6149-762B-00000000FB01}62848028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258664Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:56.670{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F599B9F1EADD093D9FBC6850C2681D,SHA256=A4FA0F4878DD15AC57E12412B085D87554C14EFC101479BF4F6677C5CC8318EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:56.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE527B8CB6D5DC6A0A5DAB0370BA954A,SHA256=B540F1EE015D3C9BA7D62473128568B87CBEB612992FB5440D9E427E88E10B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:57.511{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5BC7CE72A1399A938C87E88052365F,SHA256=1B8FBF415616981FC75CAC31134FB2C6C78A4F08E3AF144EC201222F4B6E3565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258665Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:57.702{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F9ECDF26916B76B1A484013E49B0DA,SHA256=A7BE8B3D187946863E5395D0EB94EE6A72E6B3305C74B5D400D838AEACF01847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:58.511{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC53C0040036AD48DA1CDF4C8E8E2CE,SHA256=15372CFA80E517842C83353CE05FA651319D16B722524D6DAB8C478EB2D5B6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258666Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:58.733{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD9061C1722A39BFFB38B5AE5FF9C5D,SHA256=7A06E5602EA6BE02CC14B1871214C8254F41B2B702F3E2B9A99F32F3DBCC83FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.799{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59122-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000295442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.799{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59122-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000258667Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:59.748{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C09C8CE39BC34C4F3B42A3CA6897C9,SHA256=DC470BA227C9BD7AA2A46ACD11BCC8B2B780ED1C37E63589CC25F9DB56764031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:59.589{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FA4538712D0371B401B7B5DDD29ED3,SHA256=4997216A63EE52B291E9CC4FD4F7BF186E9B55BD1C88920DF2242B9786A36666,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:56.533{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59123-false10.0.1.12-8000- 23542300x8000000000000000258669Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:00.764{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14BD6EFC3DDE10AA7AFD0AC25111DAE,SHA256=233ED59FCEE17AF4598268CB4FC7EDF8DDC5CB19F6F736BE94A59472DB4A9D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA5D10BF5A4212F46961B9FD2750EF8,SHA256=6CAD947D28A807F4334C26C26DCCC720BEEFF5B0B8E8D5051F67892A4D7A2E9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258668Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:58.600{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50808-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.027{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:01.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BE791EAFF505DF98E157A86D382128,SHA256=AFE47C724D7043412C476F5173782994DB6A27CB55928EADC4B031BC706B2FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258670Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:01.795{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB37D4A6EE31998F021A4159C43BB3AF,SHA256=7B576817715C58CDBCDFDE631A4ECBE0ECF92CB4D6AF161A96CB9A8E5BC4CC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:02.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB56CE7163EC7B13385477CAB3F9387,SHA256=8C1966E96AAD2B1FBEC6AC336A974BB46B1B7D740D61D8ACA3B5A7A2B31D0BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258671Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:02.811{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B984CEC8351D332A85FC2EF02E54FB8C,SHA256=8BCA50A51FCD0E85CB5FBE15E2952CB14B70CE77BAD99AC24A7D0F4845733C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258673Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:03.822{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2772712B5D0AB13DBE4344642D30F8F6,SHA256=9A18045696D944372A756E365EB06C5ABEC2C087F446D279E9ECE3A77136EBAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:03.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F6778D5F4F66C609BA89F9D86C7571,SHA256=089D58581CDBF4345E5B4A1250F1D3DED97DC60723E5D078E60B3DF9115E584E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258672Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:03.181{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6D45A8B3AE5E1772DADB3F2888D3AB43,SHA256=875006647351913B7A3238016C0EF897EF31D83724458309032FA3E2874EC689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258674Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:04.838{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0928B061773220240CD4F1C94AFF7FEF,SHA256=04EF51B9150A53C44F4E35E4516EE86F739DE9FF55B3854CEB43EF1E753F7ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:04.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA2E719FE15F84190EC5BEB2A1B92E5,SHA256=8667E9539FF40EA7CDCF5882A39C125A1FD6F485BEB2CCDABDE10376D14DE23F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:01.548{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59124-false10.0.1.12-8000- 23542300x8000000000000000295461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:05.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39203871078D918DCF9FED3F03391B45,SHA256=CFFC333850155E6297DA5671B42A2BB11AA70BD90CC4B81EFA4BF820E596DB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258676Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:05.838{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F084D7BFC4A6102D97F94F86A6C6C016,SHA256=01637264866CDFBFEE7179AB36936D052A402D64A12441DA2C6E62455E5C4992,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258675Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:03.704{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50809-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258677Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:06.853{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3C3214D196C87906E6E10239CB450D,SHA256=EAB717A2781FD7F1C30BCCA2F8A62F1CE041A2288169133BB039D637170EA038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48162508C:\Windows\Explorer.EXE{5097E253-8DAF-6149-E92A-00000000FB01}7104C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48162508C:\Windows\Explorer.EXE{5097E253-8DAF-6149-E92A-00000000FB01}7104C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48162508C:\Windows\Explorer.EXE{5097E253-8DAF-6149-E92A-00000000FB01}7104C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97B2E2FE9242E56CEC6470D907FEF08,SHA256=E919628233D191169DEFF373B0191D905D0587BA507F0F6B51BFEDF6D82EEE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258678Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:07.869{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3486DB24EDAE499476A36F2A50DB1C6D,SHA256=D7E7029086D4D025C35E56E042DC76F4F40B1FE7A780E1045F85EED432864F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:07.631{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441DDC685D05E2AE55418C4F6AF8CAE6,SHA256=8CADC7B0028373F48F8861AFB82D5E9A9D2BFB1DC59BF957C203D68527D7AEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258679Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:08.916{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5880566A273F09D3B8973F1D98AA8AE3,SHA256=52D35080376D2BCAD3EEE4329ED28EE93CCC29F78BC7946DA261F8D45FF0B2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:08.647{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE02F94591CEAD4FA645520A5C788A25,SHA256=E3795DE33EB61C3DA511840A7E436884C3101F2208994CB07F43BCE99F1909D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258684Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:09.994{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE0E375DAA2DAC0C058AF02508C8C3E,SHA256=806DC51AEE02CF042F1FE3368917BA43D69884F4878B6CED143D34BF0D6372C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:09.662{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF44E80799558C422D1B7D4EF107AE8B,SHA256=FAF4594FE459691AB4352E4D5700BEAD847D6FCD90E07A959F0411DD32784FF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258683Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:07.997{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50810-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000258682Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:07.858{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com53236-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258681Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:09.525{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6F933D589073B7285FD84F21BA80341,SHA256=949488F9B62EEBA9905C679AB2F8FA5B7385C656B8D3C7DC61637B97CE22C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258680Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:09.525{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F779EDB1AA14EC5E2FA1F6FC5FC2792,SHA256=797AC3DED90B47483332CC16B69447B4F9DA4C789FCE34534481AC5BA9DFA101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:10.756{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1DFC1198F9E3CDC2E29A2282698B4A,SHA256=6B0DCDA79D9C8EFE38444AD7978CC26DF710311102B5658D8025A0404B2284C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258685Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:08.736{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000295474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:07.852{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50810-false10.0.1.14win-dc-966.attackrange.local49676- 354300x8000000000000000295473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:07.419{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59125-false10.0.1.12-8000- 23542300x8000000000000000295476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:11.803{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36538B0916828A9B86724774DB48220,SHA256=173B828A3657A017353C5AFD70F126E81E9B06E2CF0335DFED4A1BCF1DEDA898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258686Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:11.025{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204395344F30BFAF2EF146F36E58A06C,SHA256=6EC6ACFECD257B3DFC36801FDBE27C246F5C32A5CF4A1C81A28559A6AB769CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:12.819{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C81A8FBABA0313461A754CD10E255F1,SHA256=7DACE3A0E2ACDE58103AD6FF83C3BFBB1625E4A062596CC85C6C9AADCDF8DB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258687Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:12.056{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BFE20AD2FBC6119685188361F88278,SHA256=6C22232A3F3FD6626CC0F91D166E51C4B6383C8DD0D30D771E4B2B54ABD2A9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:13.834{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B9DEBBBDDB99EE15A82BFB4A4C362E,SHA256=10F7095A77D473809489361719FD40A3CB08D1F5CC8BFE51B38B12FE12B8D935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258688Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:13.088{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2135042E5326ACD886131C0717219D45,SHA256=470417440EE22CB45981D6F4CC100E7FCCF3C9D19C8C0870DE6493717E2B7432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:14.866{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F3B6BDFC55F05DD69FFDE9CF62E097,SHA256=16FF8AC329AD64966C4B3C269F9E299B0EC450E20E0E04196763A8BBBDA10DB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:12.528{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59126-false10.0.1.12-8000- 23542300x8000000000000000258689Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:14.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1FE4C64A5786A953DC8AAA2C5C7F36,SHA256=2B6E0B99838A9C621D143079ADB9E6C5C3674A7DEE4BBD33B5E6265676A55D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:15.881{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D02109B8A2B524BE75D144AFC5BD730,SHA256=8F59A8345B47F67A274BDDFB65C15F95A8E98EF4539D1C7E7F093623EF10BF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258690Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:15.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03FF4A6BB689A25BD036066B0FCDEE4,SHA256=D51AE5257F42430821C76B05D613324E59229D8E1B344BAABD3B21FDAFF1EEE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:16.913{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0D186E412ED423BDD4DED480722943,SHA256=9963E55BAC459386D022D92436C3FFBE6CADB3AB210A2C984C1C5D27F1A2CB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258691Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:16.181{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B16872CEEE4A63ECD859A0C38AC4FD8,SHA256=65C9C74B20EEB703BB44036A9D257A04F7F636EA4B697186FFDA541FCD017CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:17.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C37C7A98670F1A92CEDF84F21D9C6A,SHA256=293FFB911EBB2E76B279658F70124E9C6A9071936E3934FE4E1B6EEB327C0C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258693Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:17.197{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B6D47815E961561AB2855928546E65,SHA256=77F78ED852B71E553CCD19959A931E64FC3C4973A30A59244DAC9422A80A3752,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258692Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:14.705{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C363FA4482654FC933534E03926829,SHA256=8AAC78F090ED94F68050A48B48FD46F4EAD31DB7CD3D094EE4FF24E643EE7164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258694Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:18.213{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83908EEB30160F15D0C996325CDE14C9,SHA256=9D5F9C4B84178872A121E01A37384246AD10F928C8A699A9AD9071E5CAB88C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:19.959{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1878E0B262473701B233D23BF58ED049,SHA256=5A89DB43C90897DEB3A27AFC9EA4D83B9C1D4CADC2D5F3315DF1C662921FB135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258695Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:19.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7FE05D5D5B6163AC8E7B30C7E76EC3,SHA256=05496B5DA0FFBD9B1189E3D3DBB8D0F8A27BB68DE404294C47BAF7CCC5DD01D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:20.975{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A92AB87643A9EF42A6D7F0C4289C34A,SHA256=511B42B0883381D447886A20A1D800BA3381FD5BDC3183BD7FAD2AFCBA223A7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258709Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258708Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258707Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258706Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258705Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258704Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258703Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258702Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258701Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258700Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258699Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258698Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258697Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.854{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258696Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C104BF1E6E346DCAAF74B58810ABDC34,SHA256=85DC21ADEA64FB107922030BEA4BDC8CA84737984A641BEA73113D6CA9EFD755,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.499{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57118- 354300x8000000000000000295486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.499{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60271- 10341000x8000000000000000258725Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.666{C189DCE5-9115-6149-0F27-00000000FC01}9123356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258724Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258723Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258722Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258721Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258720Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258719Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258718Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258717Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258716Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258715Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258714Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258713Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258712Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.526{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258711Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.306{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CEDBB5B0BD340DF324A3EC0059431B,SHA256=FB59A2946F5806A2D432748682337D58404203842A7A09768BF048C7E19BBDCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:19.925{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om57676-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 354300x8000000000000000295489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.512{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59127-false10.0.1.12-8000- 10341000x8000000000000000258710Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.010{C189DCE5-9114-6149-0E27-00000000FC01}3548736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258754Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258753Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258752Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258751Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258750Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258749Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258748Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258747Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258746Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258745Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258744Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258743Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258742Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.870{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258741Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.369{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7848EC97884270446BEFA62C78D6307,SHA256=44F6FFF7C30F3533FE8AC634FEFAFD59C0B94DB8AA7C711752C83B7AC6BE17A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:22.006{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F409A682F7979DC459FEC70168B99212,SHA256=298D08F4ADE8DBA54BF4A5BB4B746FC447ED531F189801ACAE6E97A284A4BD6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258740Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258739Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258738Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258737Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258736Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258735Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258734Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258733Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258732Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258731Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258730Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258729Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258728Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.198{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258727Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D73DE68B9C6D4DA46CFC196D0884DD,SHA256=D6BA8F43333896F02D81A24FA440084E6A167C8D8EBE326BD424834492186137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258726Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6F933D589073B7285FD84F21BA80341,SHA256=949488F9B62EEBA9905C679AB2F8FA5B7385C656B8D3C7DC61637B97CE22C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258758Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:23.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B75709A4E2DC75575630EF472DBB13,SHA256=AEFA5758475C92B3F414B10483784260FBAB4B4CCC4635C20B664261B890E41F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:21.093{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50814-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:23.027{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D570DB742F69A66C8437B237F502E3D9,SHA256=47B663F7D9781684EA748633D777F6A0DE4F30A9B4E9C5210B3E98B01E91E4FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258757Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.162{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu49580-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000258756Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.704{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258755Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:23.202{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D73DE68B9C6D4DA46CFC196D0884DD,SHA256=D6BA8F43333896F02D81A24FA440084E6A167C8D8EBE326BD424834492186137,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258774Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.764{C189DCE5-9118-6149-1227-00000000FC01}40723400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258773Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258772Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258771Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258770Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258769Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258768Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258767Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258766Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258765Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258764Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258763Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258762Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258761Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.593{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258760Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.405{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616A33B37057EE7D03E85D823A14F82C,SHA256=48F022DD162CEEE7D71B334490C8D2052421D76893231B9232124B616E60EA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:24.058{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA4DAA4DB345A86C0F0724ECF84DDED,SHA256=9B38A01568B764D2AC79131305BE3D3E80D3058492EAD69A8DEF6E65A6374542,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258759Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.237{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50814-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000258790Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A247F034EF4F9A238DFAA3FCF216CFCF,SHA256=70B03C7DB7E1D84AFFCA0DFB487F8A6A25BF3917F63948FBBAAB2B4EA17E4CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258789Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545C771E92F3F351461304CF4774E764,SHA256=AF703877901D7001A4528C8034CC515350BFE266C13A9028F9AD76AA17DE5F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:25.074{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921188D96471CF60EE35B1833667BE00,SHA256=1927D075B13B170C73C886C2D45F571B7B2C9572072538F4CB64414881D019B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258788Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.436{C189DCE5-9119-6149-1327-00000000FC01}18403268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258787Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258786Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258785Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258784Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258783Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258782Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258781Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258780Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258779Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258778Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258777Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258776Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258775Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.265{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000258805Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:00:26.858{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aebe-0xbcff5058) 10341000x8000000000000000258804Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258803Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258802Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258801Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258800Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258799Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258798Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258797Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258796Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258795Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258794Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258793Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258792Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.828{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258791Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4384D16D8E580D0341083DFEC79CCFF3,SHA256=D28B887A0A2FDCF6561804C60CC248DD7F7A37917D1E13ED4503FA1799A3C752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:26.121{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210F7872AF5C737C9E9C6B9480738A64,SHA256=FC61CEE2B4B978A11B230CABA71656E4B4217F810CA8E98803F1AD2869DA4BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258807Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:27.922{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEA733195164B530D36E265968FDE50,SHA256=B843E7906F71EC2C95491D56E9C0CA1C2B33258F6F06F0ED7AC28129EF26B701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258806Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:27.891{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9D5E58286D628B404C23FAB45EE528,SHA256=3E753FC90F95AA3557BF5D29525CEDFCC6AED8D56EAADF283CCD3CEF33062A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:27.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F360AC8360613ED90470E1078FE47A5,SHA256=0A1BBB11521989BEB663CBA3383E683CD5F922317F954C44575AAE6AE35F0A9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:24.533{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59128-false10.0.1.12-8000- 23542300x8000000000000000258809Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:28.953{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADFA01C44877E42428E9B0641EA4A09,SHA256=FAD644B3BBE1E5901C532EB4289D6664DE66F824EF929B9518A4EAB0FCCCF798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:28.605{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6D5419F56BC1EF8850247801AC99CB5E,SHA256=09681B272894EA725C4CBFDD659B562609D036DF5DF0B392237CE869EA72A9BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:28.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3476A2A81332A82DEDB0394F36C4C91E,SHA256=24440BE8054149CE06056915620593963C6C953B27FD8F04945E413488F94953,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258808Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.553{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50815-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258810Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:29.969{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBBA802AE5EF1085BC9A5F90870E272,SHA256=AA79B51C06D5BB64F8926B3A68A11269289272C9190C1B7A89EF7286305A1D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:29.152{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113BA59F6A740E908887668C8C3A1D12,SHA256=4043B74272414615428A4988035F78E1A72DB7B43D3D13F6C3BF3A2560000EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:30.203{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1367MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:30.169{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC40C732EECBA1CDAD676542E5ED73D7,SHA256=36FB648A998E2583A435454BD6BAA0CF6F3CA5D4A0834C2C33BA19EFD3C79A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258811Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:30.985{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E433AF506A9E7B635F1AF3EF2B8C719F,SHA256=019F746091BAE0683092DD85B3BCDEA0B5059C96F0B7C74461F491922CFF5F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:31.207{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1368MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:31.189{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17395F157A711013D5EFD09928D70178,SHA256=E9870F2FDB62C4FBD53A30FE5CCF4F535E81C42CA403E608EC8EF28AEA56CFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258813Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:29.241{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com52066-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258812Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:31.000{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F68A5EE519EB518880D76FE0DFF719,SHA256=86B13169A688D927AA8087354A02D15F0841A3FA39CA3109B690D9C427A12C64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000295507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:32.208{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXEC:\Temp\remcos_mod.7z2021-09-21 08:00:32.208 23542300x8000000000000000295506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:32.192{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DEE4B02AF3CA083378944EB43CE5F5,SHA256=4FD909A5F3FBE8BB50542ED17C670E09F7F31298D1108E2B0148155880A702BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258814Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:32.016{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D0BC3B92ACCF8D045DB4374345A723,SHA256=241507C206075DDB83C3099B5EC7FEDBB98FF8E34ACF176742F21B97D9520A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:33.364{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEF10E0659A6F8AEF5C9B9235F32B87,SHA256=FB5D1A0A0BACE7DE175A17C306D8FF1AA3BE11BFACA04B1BB082EF9CA2BFCA06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258816Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:31.725{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258815Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:33.063{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4568B58150619801375161FE35FBF42F,SHA256=83069AA6FCEFF5AC43670C3667CCC9915EA7F4F749BED34F6AA3A9F17BF6B3D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:30.508{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59129-false10.0.1.12-8000- 23542300x8000000000000000295510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:34.380{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D576046F64B83A55BFCCA37453C173E,SHA256=A46E1771D1A8C2BEA4DC46C09116250F4118DF39E119BBE16798868615A98ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258817Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:34.110{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F76006585B612A9DFBC8350D97DF45,SHA256=4525F78D07E3A6E9E33EB7E733BAAD1670CF0F2D9471F65CF2EB552270649181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:35.395{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F334B0503BB2FCB71A59A957789BB72,SHA256=EBEF3340310C1EF9A905C2D6C9A1E5A7AF423259DEC3C7D3C23A112B7461EAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258818Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:35.125{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B25F312857DAD20A427102D5E3C29F2,SHA256=50699089BDB2DACCB8DA0014BF0EF449508F2B03BA8E26AA82A045A08D91C02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\eventvwr.PNGMD5=4310123299C0DE80A83539CC13497AEA,SHA256=82CB3CD93C41AC8ABBCC79FCE4B7A12B30694C53E8C0A80DD982C6E104D0EAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\download_c2.PNGMD5=EFCDDB4CAF355DD94AD161D767A77E77,SHA256=76626AB1A7D570CC27703E45A386F8C4714D838FF05E8874710EED6B8ABA1E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\disablelua.PNGMD5=EB310408CE2C27535BEE16AF2EF03C88,SHA256=83AF023E44E17688D5FC9174E460F5A56DB3659AD701B01D52D8CE7EFED2DD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\defaultbrowser.PNGMD5=D7DBC4EEAA3F88ABBECF063EDAC65EFD,SHA256=0CB3B183066E70111472490E53428D5730CF0BAE1F1EB0693DA30CEE830B4229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\connect_c2.PNGMD5=0BEE1CF9D17446150D3957ADECA1CF82,SHA256=334BED420901306E5CA2A7EBC27F610355CB7125CAC1EFC3E4CA73300A20776C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\computername.PNGMD5=DB121942755F1513B8EA34C8AC96F74D,SHA256=E89D9606414AFDBF6DAAC4B3B672773E7A459BADAB4AC28E1943619A0AC6A9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\clipboard.PNGMD5=0BCE5E0CDF5EA568FE1AFDCB672D24A9,SHA256=F779E599477D58A21B56FC1956D8E185BD0FABBCB8961A53770EEE9BCA0D53D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\chrom_store.PNGMD5=DE0F8C01D8F793CBF1B4D6C4527B8E39,SHA256=AC4C444E26397FC561CF04F441C4BFE970D60A82C4398D11B624C08A40C21A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\chrome.PNGMD5=3522F023BF774BF97B9C47C89A3B1CA9,SHA256=5351C8DFB249D9AAE604CD7CD36B1F22E7A0BA7D6D2C522EF262EA466C283C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\checkproduct_os.PNGMD5=37FF921B67307174D9C2B3B1A5B8F74A,SHA256=A5CDF5FEC2DC9D08F0957EE4B89E7F6121791509E6C43130358B95EC43A102E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\audio.PNGMD5=B72D26D029577E4C7812297065A1ACF2,SHA256=14FEE2D3C7ED3F5E35CD13A600748F1402CFB8207D141E05ECDE33E198146D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\antidebugg.PNGMD5=FE2946BA88F7B07EC3FC21359B861BB8,SHA256=D411EEF7954D9196B6B3ACF6F4C0F5AAEE1C7E5EF97F429A1D590CC43ACB27EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.426{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=86ED6DC08AA78225026C3ACEBA1AE691,SHA256=32E230B20541F9861783EC3A1D9E8809704494C73616B36A0F435792FDA293ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.426{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8EFC3D521E7F4E1EF82FD178C7E64274,SHA256=D0A49028465B738B020F78A79E63797DA87A5D3FEBAFE000285E27952388B47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.411{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1395A323315655368A8A2023C238BF,SHA256=4DF70E3D514083FFA52630316E79A09F8A384C7811D4F8FE87D0877BFFF51480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258820Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:36.203{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258819Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:36.141{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED37D320BC21F70846EF776FE32FCDD,SHA256=DFE07C53D5CF590A5CC8BAB0A9E314DBF9C2213B834B729A378F3FBC516C9E90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.380{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.301{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.973{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0B84F9508418B7DAD40E1C772A1253,SHA256=F94A00B032CC4076F86B1E60B744331E69935774036250EB21CE2596E377AF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.973{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=307D94E1FFAFB5C6045C62A564CF3736,SHA256=56010C2EA90A4B1EDFDE2715A5B0A6A631AD8830AEAC8662570E6C899D3C8493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.411{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E3533648C1666D24BDA8B3A0D7BA28,SHA256=24E870AAF82F4B686A6D328ED710E35ECE481628667B19D8675D898017A397D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258823Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:35.678{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50817-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000258822Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:37.318{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1359MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258821Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:37.159{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F533D50FF13FF5776A5BB19C4E764753,SHA256=A62CA55EA8C5A2F47708394C951B659140C8D845C07EA12F0615E67614EC05AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.052{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics.7zMD5=1D304F91AD4B5B4390D0C5533E92DD11,SHA256=BDD4423FB108C205BED35302CF8C48B0EDFF3B49090CBBCF7FA7DD902159C109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.036{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\uninstall_bat.PNGMD5=38EC19DD6B6E3A7D8F3DB020D01C553C,SHA256=E3CAB5294676EC473CFA2D6D6CD3E69275D7DA7D56B80781C1EC6D044871E39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.036{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\uac_bypass.PNGMD5=B1452CFD7B184C4B863E0F9A97C2F85E,SHA256=28677CF719C4E8BBBDC2D0AC00B494894581E57A3487CC7B5515AA15DF1264E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.020{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\screenshot_png.PNGMD5=C1022DBB7301A8010355892510DA03A1,SHA256=EC85AE2BB87D20FCB223F2F39C5B866C558AAB369317FF6E9D6E991F7421966B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.020{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\regrun.PNGMD5=2771BC6BF2FD46253BB9025CFF3B9AA6,SHA256=EECEDE22F2815CB4CE3DB58C60994D9813B57E5326FD371DDC94534BA4C158D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.020{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\record_camera.PNGMD5=23914BCC65C5007287E5189A30875A36,SHA256=3CBC911BE8B8DD182F89BF150E361B620C131CD285BDAFB81F36F15D5774B8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\origmsc.PNGMD5=B53DBF593ACEF432507BD5823B18BD42,SHA256=85DB4C3F9AF32E18FCBA7054C6B2D81C6763A575D71B374968FB4454B4869638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\openmutex.PNGMD5=82E4B21DAAF15FF1367D5133D2460FD5,SHA256=FB43A0AC87555215526C2B58D0405B79006ABC70D6C117F74F0536FD8D2317C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\notes.txtMD5=837223B183FB387B786EA13826F0B630,SHA256=D2AAC537C5A5CD72481A87AE767039C9D6C070534F32D484B9245DB0DEC70AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\key_press.PNGMD5=1B909ACA120FC4287C85381F486BDD72,SHA256=933A9BE08882F9A0BCD77859D80D6464C4CCFCF91F60ACB2725313C7C7AB51C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\inj.PNGMD5=21F0FAD6A6DED792A6D3F904B237FFC8,SHA256=EC3CD98D0AF0CCC660911A1E90792465D655B15CE600F700EFC30661906B84F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\ie_cookie.PNGMD5=0F5C7A8AAF53F4DBCAE5CB32D07966A7,SHA256=4EB849517E805DD7D714A6B35BDDCD2D019A3F3C39F580558656D02781B8AE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\firefox_profile.PNGMD5=2D2613692AAF836FF251998CB67C8EB2,SHA256=12BD04024F6339D471101A5423CBBEFCD0058F0C04C31A5CE006B1F1D6C3736F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\Exepath.PNGMD5=26590D43406AF7E7F59B8214A32283D7,SHA256=79FBB7693E8773C312E0AE6FF697BDA0C8D9A14EE744A11B11C964AFBF079385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:38.442{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CBEC9996AAA269B9BDD8E1577CA47D,SHA256=3DF7AB665E71B49CDDB1B01DA04A259A4B293D2DA3EA5D05DF934BB1A96F6E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258825Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:38.317{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1360MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258824Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:38.175{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFA13D5A475BD6E4E4078A8DFC13C18,SHA256=DAFD13BA07861A2DBC93A3EC1EF48984E46094970BDA0E1CA6DAB3469EE0993F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:35.604{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59130-false10.0.1.12-8089- 23542300x8000000000000000295549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:39.442{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7A22E206EE466FE586C5C8FDBBECC3,SHA256=FDDF983EACF4296E22FCCE120DF469D9CD7F490F8111FA0E5ACD43CF528280C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258827Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:37.634{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50818-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258826Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:39.176{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F87A47400162B0F0E98FC41AE5F6D83,SHA256=BCAAE3E69FEF3502CD101B44F2E39C390F9C506A7F2F97C1804BC85F596015D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.448{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59131-false10.0.1.12-8000- 23542300x8000000000000000295550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:40.458{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C7BA170060B29A0C7F421489F70F27,SHA256=B82CBD6F3F677EAFE3420BA5E167C8EE3F83881B61F8EE55A12B25C526791F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258828Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:40.223{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C0DBC918DB04255B9CD2E91491EEB5,SHA256=52394A70C1709CEA25F20CB932092B40A9FD2E9367B9F204841C472D66D58B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.473{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C04AC57F064B5FBC8AC2341415F907,SHA256=0F9E233D5159E361F9CE4360B0D513B65CBA5DA88A90FB6DF7589C0D5ABEB665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258829Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:41.332{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B700AC399F712A9357955A0DCA236112,SHA256=AB2D83601811F7B9D0FADD3643BAAB426A7F002DBA82D4EC2123E5D74D062DC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.161{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.036{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.005{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+4f38|C:\Program Files\7-Zip\7-zip.dll+61c5|C:\Program Files\7-Zip\7-zip.dll+698e|C:\Program Files\7-Zip\7-zip.dll+6aa9|C:\Program Files\7-Zip\7-zip.dll+8771|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520|C:\Windows\System32\SHELL32.dll+17999e|C:\Windows\System32\SHELL32.dll+736c1|C:\Windows\System32\SHELL32.dll+765a6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x8000000000000000295551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.014{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap31747:46:7zEvent14784C:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEF,IMPHASH=9CF6F80DD6DFE9900700C1E11C318B2A{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000295575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:42.473{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67A65B1A1AE6877C268C245C5F257AC,SHA256=4390DAE4FAC79367DBC7FE8F8797D185F39C8FB06BC6C8A91FEA37F49DDDA28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258830Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:42.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E17EB2CFDCDAAE21F3B9108A0D4D86,SHA256=BD63396240F62A4CF20F4556426C2A85E942DB25DF138944500C31E9FA0BEC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.688{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2892C8B1E7393CD84240D3F5D103917,SHA256=8FC7F0C1FDBBAE1446C1839F4709AD6A947D5FC0BF953A8291DB77DEEC91FFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258831Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:43.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75EFC2291F8F368F2383860A80EDE08,SHA256=051CBFA6FFFB1B321BCC2E28C7A65E49ED10FEA187AB770DEABEB2EAFC84C1C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.750{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7D2AB2909F3EC60DEFF39BD23C8293,SHA256=6E82BA973CD629058A272DB9E3321BBDA1966EE43629174120E14CB8DA968D26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258833Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:42.667{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258832Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:44.411{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB8569763FAE9FCFB88C824CD57DA5F,SHA256=5711F441D0A8AB84C383475BD9549C8307922F5058D16C59F9AEB921659339FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000295616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.563{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exeC:\Temp\remcos.exe2021-09-21 08:00:44.563 10341000x8000000000000000295615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.500{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.500{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.500{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000295612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:42.444{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59132-false10.0.1.12-8000- 23542300x8000000000000000295618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:45.750{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E45156DB32214A22A1D07C94D6C17E,SHA256=95FEC90D7686B75F5A7B9A804942FB041B35FC829665C2B5030491FF4FFB03C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258834Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:45.427{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80BA462DE44FBAB49EB900B9A80690F,SHA256=AA782CDA33A02A50D48F02FD923BCFF7C9AFD51EB66EA99A07F4EB14C0F20FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:46.751{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04274A029C0DC991420227247204353,SHA256=8EFA76C16DF378B2880F733CBDD59C4054247CCA523E3438F847FF80C342822B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258835Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:46.458{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4EFF64D6C704FCCA5CAD213AF25671,SHA256=71E76E59769D88185FA398E1301BA6252701E026029C6EBEF2723D8F3D48E541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:47.938{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2F0B5D84BF1A36CA0C0E93334E9C98,SHA256=71F70659821129907E52D4111F20C356B8B6AA37CFFF0A3450F1DA11A708900A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258836Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:47.490{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE08372FF7B8877C747DDE7E349C305E,SHA256=3385F220ECEFD64B5FFC29EE7D4B07A3BABDB643CE76B2AD33B30EA142BF0F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:48.938{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3C947345CCEEB04B825F524521ADFC,SHA256=EA43308F361F8C981D933AC09FB3D9D4D0E10A5A7224086DC12F77E9F2A221C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258837Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:48.505{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5C23EEDED5F4D6D8531ED5D8E0F74B,SHA256=6D8EA8825A037205C3FC1C8140A8DBF556498C6E872029EA550EF723A8366B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:49.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D3C299A3776108A7F715A2A143AC36,SHA256=603F2FC08080FC38C6FB9EB835908E024480D3AA419505C9F74FA10A9DC2571F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258838Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:49.552{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F4CA97D7CABEC5A642EF759AABF497,SHA256=98D30408C2F7D185D1A2D865E6FD86EE6FDCD5999B0588AFA379392C882A7EF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:47.522{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59133-false10.0.1.12-8000- 23542300x8000000000000000258839Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:50.583{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DCA0666EF3BD5879C78EF4C5E1BAB7,SHA256=58EE271DAB1D09D1544C49CBF47113A322DD0FB3D1FF9292B0E42370B6052766,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:50.891{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000258841Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:51.599{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06FE0173494493EA41641A69238DBABC,SHA256=B8E48644905B2D899C40C35436B2183CB5562DBFC828616448CF5DE57E80630A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:51.469{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:51.016{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E693424E2A177BCA8BB9B5826E23A4F6,SHA256=DF861171F689700E23B8639B7274642B0DEBBF68629FD6527FA9E2CE48A30A52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258840Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:48.682{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258844Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.615{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A843F002D34864D154F0D7080AEDB7AF,SHA256=9F054252EFB66CF6323F25BE108D690A38BA5C313D451FD4233632E071CDB939,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.563{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.553{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:50.695{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50821-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.016{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4A86949D1D5AF8B4AA6BA8605BD758,SHA256=FE251E03040C1783BE62E174DAFC5E7F56D54AD08506344D37DA6DF2F39D9B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258843Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326B2668DCD8DDDDCB571325E7A3EB3B,SHA256=A8F319D828CC0D9F5F6CD32A1F2798BD80D63C959BAD5A2845F4D0198EF8258D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258842Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1417061F14742A0A3556EC26077154EE,SHA256=A396CFE8765BB6074BDCB72C6CD5321FAEDF7A88126BB532C0B6522CF50B467D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258848Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:53.630{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52514C0F6D23ACEB7085B340A2963498,SHA256=B4C2F47D6A16362766044F99F0B7554B7633077F702178157A6FFFAE989AE979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.391{5097E253-9135-6149-7B2B-00000000FB01}79167776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.236{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.047{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CC57A6BCE0CE6FB775EEF3583D8A8D,SHA256=F5BDA4227B46077393C33A516886FDEB2A6FD343BA323AE47FE1980A1741B3E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258847Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:53.490{C189DCE5-4A3E-6148-0B00-00000000FC01}6243592C:\Windows\system32\lsass.exe{C189DCE5-4A3C-6148-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000258846Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:50.840{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50821-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000258845Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:50.671{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com51479-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258849Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:54.630{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B45398F28D244DD329CBE3FB619DBB,SHA256=FF23449926B13C2510A8BFB35433E97140DBEA881DEA7C2E37C7C7D6F133D19A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.719{5097E253-9136-6149-7E2B-00000000FB01}65927380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.566{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=750B81126C6B3E1AC62774C7B809BD39,SHA256=774974DA3244C416245552457FB7F5A6E856D3FF1BEB409E5C9B610523EE493E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0B84F9508418B7DAD40E1C772A1253,SHA256=F94A00B032CC4076F86B1E60B744331E69935774036250EB21CE2596E377AF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64EC6DE2DB665072CB1462D87A568E6,SHA256=2A55E6ECBEDB821BDB943A30AA941757D9FF4EB0EE4E26D3D482A5CDEDF3D5AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.047{5097E253-9135-6149-7C2B-00000000FB01}69007476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.032{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.032{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483D-6148-1400-00000000FB01}10362268C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-8792-6149-AA29-00000000FB01}48165736C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\SYSTEM32\SndVolSSO.DLL+bf8a|C:\Windows\SYSTEM32\SndVolSSO.DLL+c112|C:\Windows\SYSTEM32\SndVolSSO.DLL+bb05|C:\Windows\SYSTEM32\SndVolSSO.DLL+7c7a|C:\Windows\SYSTEM32\SndVolSSO.DLL+1355|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000295655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.020{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,soundsC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000258851Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:55.632{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4E6F14F6E9AE4D5793E1F0521E2FF1,SHA256=AE60E7E20C2DBB7CC40081250EFBF1F0042FCFF78566F169321DC1D7A631CADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.908{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.475{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59134-false10.0.1.12-8000- 354300x8000000000000000295701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.824{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50822-false10.0.1.14win-dc-966.attackrange.local445microsoft-ds 23542300x8000000000000000295700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.688{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1A0E8E85A8E3D95EEFC47EF6AC9E6F,SHA256=2695089EB98DCD90BEBFF437BA2981AD3406B7ECF69FA472586BE8DD1EAB9A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258850Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.969{C189DCE5-4A3C-6148-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50822-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 10341000x8000000000000000295699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.376{5097E253-9137-6149-7F2B-00000000FB01}81122144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.236{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258852Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:56.647{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CACF28EC86C21829A64FA87DF6A2605,SHA256=AA33669426CD87D80145A469B5C301D9B79DC13FB889CED74F59E7AD322C2391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:56.688{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E91C2C0C7FADB9DA2109106C1F87279,SHA256=DD5D291FA3E7B239AB068B25CB8469B659B047C679C3EB2E631B22DD42EC53FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:57.719{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E148BD65B3E74460DFF4FED86D7C6643,SHA256=112588BE33E58FF52FA5EE1D4CEB3B4A513719DA122EE9A85D32033B659496BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258854Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:57.663{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50E3CA781C301635A7C808AE85D09D2,SHA256=94B6BE32A9762DDADBBE71F869238510C695A58BA133D1C42FE3EEA42DFD4D11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258853Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:54.637{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000295713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.804{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59135-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000295712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.803{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59135-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000295715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:58.735{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A6C5038E425CB139DE5935F0EC804C,SHA256=42337A71EBBA29C9FD75E146AAC20D1B5E67EF82D6A347B126D9B5B461EE2BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258855Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:58.678{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC6EB8C72F94E98FBD186B616BB1762D,SHA256=29F33050891EC4BE91FCA7D4FF63633E4CF44A39E6BB04C36C1BDD913CF2B5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258856Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:59.694{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FBD88B8776B565DDDF58202ECE4BFA,SHA256=B3D185F568A4B6D42D6179D3071F518AA7B65003F13D0C34B76C1C28E23AEBA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:59.782{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58804FE57168AE513A2ACB688396C474,SHA256=1F7AA36D21308C28711007092BA8583AE4489850CD5A3CDDC65551A9889B7B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258857Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:00.803{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BF1E188AE49B2FDE4698927EE94D92,SHA256=39385B05B035CF47A60D1B30AED655D52913EF8F81DA5F1F0EC8C8685E193007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795F8D30767BF9E9F0BE50C4790D322A,SHA256=CD14B7CFC77BA64729F28A2B018A44E740059A2D67512330BA019C44B6A6D402,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3280DE0A8BD9ED096EBFF6B48FDCDB13,SHA256=12ED44B409477AE235C7564B47873A25CAF790019907716A1A52FF2ACB920F7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000295779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.922{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceClasses\{e6327cad-dcec-4949-ae8a-991e976a79d2}\##?#SWD#MMDEVAPI#{3.0.0.00000002}.{6C26BA7D-F0B2-4225-B422-8168C5261E45}#{e6327cad-dcec-4949-ae8a-991e976a79d2}\#\Device Parameters\FriendlyNameRemote Audio 13241300x8000000000000000295778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\MMDEVAPI\{3.0.0.00000002}.{6C26BA7D-F0B2-4225-B422-8168C5261E45}\FriendlyNameRemote Audio 13241300x8000000000000000295777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDB-DriverVerSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{c166523c-fe0c-4a94-a586-f1a80cfbbf3e}\0000\DriverVersion10.0.14393.0 13241300x8000000000000000295776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.907{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceClasses\{6dc23320-ab33-4ce4-80d4-bbb3ebbf2814}\##?#SWD#MMDEVAPI#MicrosoftGSWavetableSynth#{6dc23320-ab33-4ce4-80d4-bbb3ebbf2814}\#\Device Parameters\FriendlyNameMicrosoft GS Wavetable Synth 13241300x8000000000000000295775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\MMDEVAPI\MicrosoftGSWavetableSynth\FriendlyNameMicrosoft GS Wavetable Synth 13241300x8000000000000000295774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDB-DriverVerSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0004\DriverVersion10.0.14393.0 10341000x8000000000000000295773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000295749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localT1031,T1050SetValue2021-09-21 08:01:00.860{5097E253-483B-6148-0A00-00000000FB01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Beep\StartDWORD (0x00000001) 10341000x8000000000000000295748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483B-6148-0A00-00000000FB01}6244080C:\Windows\system32\services.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483B-6148-0A00-00000000FB01}6241976C:\Windows\system32\services.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-483B-6148-0A00-00000000FB01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000295731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localT1031,T1050SetValue2021-09-21 08:01:00.813{5097E253-483B-6148-0A00-00000000FB01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Audiosrv\StartDWORD (0x00000002) 10341000x8000000000000000295730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.798{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.798{5097E253-9136-6149-7D2B-00000000FB01}51046508C:\Windows\system32\rundll32.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+3c8dc|C:\Windows\System32\shell32.dll+e2157|C:\Windows\System32\shell32.dll+e20b5|C:\Windows\system32\mmsys.cpl+24db3|C:\Windows\system32\mmsys.cpl+24edf|C:\Windows\system32\mmsys.cpl+42f1|C:\Windows\system32\mmsys.cpl+3ae2|C:\Windows\System32\shell32.dll+13b569|C:\Windows\System32\shell32.dll+2b5b03|C:\Windows\System32\shell32.dll+2b6b56 23542300x8000000000000000295728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.798{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAA8F732DC711533A1DEFD1A48D924A,SHA256=636129B3BEB4BB61B0434B755CCC1C09F8C93629183A52119AF74BFFC7B05B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.782{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.782{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.766{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-913C-6149-812B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-913C-6149-812B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-913C-6149-812B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.033{5097E253-913C-6149-812B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258858Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:01.819{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB40589F099DB20C6A5280B743AACDD,SHA256=0D0B5409404368E93AED811F19FD20C3F831BB3765F778B61278100E6898C9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F30E9D63BA7418CF480079823F2D91E5,SHA256=EF203F4FE88499C9EB4B48C22B3400024EEAA2121FA1A72BCC1C7F6B011091BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=86ED6DC08AA78225026C3ACEBA1AE691,SHA256=32E230B20541F9861783EC3A1D9E8809704494C73616B36A0F435792FDA293ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.891{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0662A0719AA488E27B112B770A191CEC,SHA256=144FDE3343A45151486D80C7B951FF1C59F4B2859F8AC3CE4E90490DB47E1B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.891{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=750B81126C6B3E1AC62774C7B809BD39,SHA256=774974DA3244C416245552457FB7F5A6E856D3FF1BEB409E5C9B610523EE493E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.813{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A35D5BFA4131CE3A675355B99844F6,SHA256=D08A99CE1843677E5D2681DE719C749A42869E205EA8321D556BF9194A2C8D2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:59.475{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59136-false10.0.1.12-8000- 10341000x8000000000000000295827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000258860Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:02.850{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D80F84A967D1D1ACADAED12779332A,SHA256=2DA7C7670B19BB5C09706878469444CE4E8DC4E1965AEC02FFE84797EB2FB77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:02.813{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AA485433680B5DDB513A31DF941236,SHA256=AF6CABB2315DA3CF80C8DC7216D2D822EEB303BCC37075CDC3246D93B7B1A901,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258859Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:00.590{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:03.826{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0ACD4ADCEBF793410E64F07627BABEF,SHA256=2696198C2239A8F3D605D9E71F8D89E00B385720E8A97EE92365408CDF0D2176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258862Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:03.893{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED92FFF2444FDE4B68ADA92D68155983,SHA256=1D15043640FFD0F8FC23EA2D268EC1EE8DC6E47837975028891D3214FEDEEDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258861Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:03.190{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D391427DBA487845460A196240D35E6A,SHA256=3DF226A5CA98C611EF2B218B09AF65143D8E85B6F5E1361B3058EB5DBC3A1448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:04.873{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEA543EF11E390A3B2422DA987A4855,SHA256=700884FCAC30014CEDD777D0392FF9ADE2C2746194E4490BB5E4C4FB9205AC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258867Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:04.955{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18ECB4D0A0B39AEB7D6631F3BB90590,SHA256=7655348003A6141B13CE8F1F4B04BCA4B32DA5C3544767E59DC00D0C1128EAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258866Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:04.596{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A263BEC4A6C9007EEEF149F5976860FD,SHA256=8C070766449682925B2215BD4CC9D6EC3FCF956B2B0ACA1054E32C667E9CBDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258865Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:04.596{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326B2668DCD8DDDDCB571325E7A3EB3B,SHA256=A8F319D828CC0D9F5F6CD32A1F2798BD80D63C959BAD5A2845F4D0198EF8258D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258864Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:02.642{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48850-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000258863Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:02.562{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48738-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000295838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:02.908{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50825-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:05.904{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E5362A4E87581B8518928E35FB760C,SHA256=65B4B7108063D563651DA5AC31231C5A948AAA5E793F16F2EB73CEF20D84DC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258869Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:05.971{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E9133FA3C30A45FF4BB0416718EA0A,SHA256=00A20E865D3614CF6874BCE2528C43E033843B226F19EE3E9E936C51F2092113,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258868Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:03.053{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50825-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000295839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:06.904{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8A757728290BD8C75E8A2244519741,SHA256=A3161A3F911C772F842B60C916AEB0AFD191F21066625C1D1054199CF8E6DE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258872Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:06.971{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B0AB7ED5379B7CEDB1DE51649E5ACE,SHA256=4A1E937D1C6EFFA0709D9968C9B6EAA15B270A32FB9656A42705BF8990408584,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258871Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:04.255{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50447-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258870Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:06.096{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A263BEC4A6C9007EEEF149F5976860FD,SHA256=8C070766449682925B2215BD4CC9D6EC3FCF956B2B0ACA1054E32C667E9CBDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258876Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:07.987{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77404A8D0102CF8AD967E2745DD5A020,SHA256=4AF144C0CDAE3F91AE7D643399FDA4D121D9C478AE52DCBD4FDB60AD3D783A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:07.935{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41957DC78AF7FEAF7DC91126DE71BD95,SHA256=57C54B77416C945EF2BBA1AD36A6F55184AA0E03373497FAC6A4E83B9791914A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258875Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:07.471{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60F868CCEA998B0B131B9CECAF41FA70,SHA256=B9AFF0B0F53ADA2EDCA6199C57AB55CF2DFD963AC2B63AA81A24CD280DFEB586,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258874Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:05.648{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50826-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000258873Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:05.645{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51825-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000295842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:08.951{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFDD81AB43DCDBB9C18D1F5016C31D3,SHA256=A3989D6FAA234BB9BFB175A0605B3F8FEBF6046E178E57D09FD7400C6BB8851A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:05.363{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59137-false10.0.1.12-8000- 23542300x8000000000000000258878Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:09.158{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0BFB9C016361A2E6A0106D1839ACBB5,SHA256=6DD1E9F360491BE7E7E7BDB29DA5D38047690474DC46F80F9055B013A3017925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258877Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:09.018{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A810BF9B956449D052CAC57E4DC3756E,SHA256=654C79D17BE196D23D1EFA94F642A6858CCCF73C77B5CA8D86F36FE34F43627E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258882Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:08.722{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55029-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000258881Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:07.131{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53387-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258880Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:10.471{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74775601C2F0CCF1784DBA28E29FE94F,SHA256=73E5601CFAEB64815B0AA18BC9C5D09F5D4C0D50E5BCA6F1FE5611E8131AA674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258879Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:10.065{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4FA55A86B27FFDF5EDCCD3A41970C3,SHA256=6B83318E72996249088568BB27E51DA566D84BF75F61FB314C08E13C08464303,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000295847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDB-DriverVerSetValue2021-09-21 08:01:10.951{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{a92a497c-9694-68bb-690a-d0ec7946fe91}\Root\InventoryDevicePnp\swd/mmdevapi/{3.0.0.00000002}.{6c26ba7d-f0b2-4225-b422-8168c5261e45}\DriverVerVersion10.0.14393.0 13241300x8000000000000000295846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDB-DriverVerSetValue2021-09-21 08:01:10.935{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{a92a497c-9694-68bb-690a-d0ec7946fe91}\Root\InventoryDevicePnp\swd/mmdevapi/microsoftgswavetablesynth\DriverVerVersion10.0.14393.0 23542300x8000000000000000295845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:10.326{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1FB419142DB8FED6D65D7937784A1E4B,SHA256=ED026695E8EDA18736168485352BCB2B8FC2E5C01578D40001B46AA9378A5EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:10.326{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F30E9D63BA7418CF480079823F2D91E5,SHA256=EF203F4FE88499C9EB4B48C22B3400024EEAA2121FA1A72BCC1C7F6B011091BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:10.013{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625B69B720617BB4F4023C4256B6376E,SHA256=DE3CB0FD2B01E9A639313415D8A09A927F8377709B44A909CCA982D4B57D6D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258883Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:11.158{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68598F9613AE7BDE3964F0E069605359,SHA256=F3B4CE2ED17EBE45250E9A9C6D92D02B4C9BF05055EC40123D59172085F558F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:11.029{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B0CE47E33D0CDD8F5D0E4C19628264,SHA256=3796B849B3E3461F00EC920FFD623D8A3836E49F10C99C16D8DDCFB3CAA72DEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258887Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:10.695{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50827-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000258886Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:10.159{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56477-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258885Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:12.502{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E941DD3586C7B047BAE3C5EE1432A928,SHA256=6398FAA30985CD9F0882EE5712E8426EBBD7127EF9ADAC5B825A51784A4A4EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258884Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:12.158{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420B0C4B9158DBEB1A934371144FE908,SHA256=7BF8C7603B1ED0AE794CA41F5AB092D435068F2F7DB4983DCB224E55110166DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:12.044{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8CC5E8247233068E078AC19BD43B5C,SHA256=A6D78CA6E835CE8C4DAF63930F5A94E2229FB74C0E00AB5CE32C9B347D12045C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258890Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:13.893{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20892F053E16B8A27547FDAB25A5C12C,SHA256=10DC2966E98DC393C729560EF3D718933A13A7706009BC4F7F276D84B9445D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258889Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:11.385{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com15474-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258888Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:13.174{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CF4F44B4C554677FA9D2D80D2A0BC6,SHA256=07A947AA4A0A604B44E69A671FA5B4A13D543DC0AEDCEBC68AB56A72B23A3E9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:10.472{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59138-false10.0.1.12-8000- 23542300x8000000000000000295850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:13.044{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B7F325A5814A66ADE87DE51C53D4A9,SHA256=C3284A967DBE3ADEC42E2587CF6EB3C728C1A63935A87CF0F5810902DA362E6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258892Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:11.754{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com49907-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258891Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:14.190{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944BD7E9BC768464149451CB3F90BF96,SHA256=9FE8D98353D11DBBAA79C638C8E269FEFBA4EF2F31AA324243DBF5491E510900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:14.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0DFB0F623DDFEDD69E303E72C210B5,SHA256=37F35FEA37136AD88D91505BFD351E126B016EDE0EACFD3AF7FE8ED851F283AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258896Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:13.481{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59876-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000258895Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:12.068{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58328-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258894Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:15.299{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00FFF62F1F10B3102A9F6E966A9BF51C,SHA256=96880CFE3C3103340614AAA844C14EF93FC29DEB163A9475B0C915D98E027A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258893Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:15.221{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C100EA7F4D6F5144B7B08E618DDA64,SHA256=CED78C592269DF573CC675ED7C1F3D814CA9929F3C1C2A578585F852F60432A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:15.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE015C44C0073A43A4AED2CDBD34C83,SHA256=A1E8F7C2A4CDB4B4A2BE446B7D8F09752A36B864B85BB8AD30E2C772215980B6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000258898Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:01:16.674{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aebe-0xdab09feb) 23542300x8000000000000000258897Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:16.252{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C65A7266AA94865077CEEF5087657D,SHA256=55916917917B2575895C7E95C92FE7D9A98E48C9E2912F87F28243785984CCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:16.076{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E609BC5779672BCA978B697E3EC460,SHA256=386924D02BF6EFA82F2A0CE7AFE8E7D4CBBC7DB57077EEE2B62A2E1795CADB9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258901Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:14.949{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-2366-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258900Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:17.299{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1997DB90D0FB5955B823B2C663FDB8DA,SHA256=2FDD1BB4E4C88FE95541EA45C972D1A8B3A2E74793AC71864242AC1AEA0FCDAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:17.107{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDF64D587BF166C5ABE0B54E31604B6,SHA256=3A6F22FF92195DEAB5015A2CEFE4ADE05E86BEC88CAA2635101A90675BF6E853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258899Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:17.033{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EAA3CE83AC43F11BF31485CE34AB6B,SHA256=79DBF91836BB31A9E3030A743E2BD61C29FB34669F3C1FBD00602E83A956EDC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258905Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:16.132{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-917.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000258904Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:16.132{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-917.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 23542300x8000000000000000258903Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:18.580{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF9F961B74D0A162E47A12A491C63D2D,SHA256=BCFB1DC0DF57F8C6E8A5E50243C7C87E5AF3AAC95EFCFAB90AB440DF19749571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258902Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:18.330{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69774380DFDBD98E238486D41C44676A,SHA256=5B3F7777C9B6714EAA8F6A2B439075178442775D1EAA2BF006E4CC36269B17B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:15.987{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-966.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 354300x8000000000000000295857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:15.566{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59139-false10.0.1.12-8000- 23542300x8000000000000000295856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:18.138{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9765D2556AA495E0584BC9FA6426211C,SHA256=22154C192BCCA71DCDEC6E1BD5C248813E139F79AFFBF4A38993D051A2A0EDA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258908Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:16.648{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50828-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000258907Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:16.586{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4061-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258906Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:19.393{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F531516D96F7622EA8B94BE70F5167,SHA256=B050B894F7D6B3E37E3E5814192B8A3D901359332EA5600C1B95E63014DF61D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:19.154{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FF9839D536FB435C658450D40D39EE,SHA256=3343C5D2C7F9E90B5DF7A6D7916E077104E7A39648A782001155F88A3C7FD069,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258924Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:18.179{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-5689-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000258923Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9150-6149-1527-00000000FC01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258922Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258921Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258920Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258919Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258918Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258917Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258916Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258915Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.861{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258914Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.861{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258913Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.861{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9150-6149-1527-00000000FC01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258912Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.861{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9150-6149-1527-00000000FC01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258911Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.863{C189DCE5-9150-6149-1527-00000000FC01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258910Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.424{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A845F0BE745B4F0319289558E73FAE,SHA256=24604313C0291C4C54CC3BF37EF20237A00EE6A56348C29608929EA35CAA3351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:20.185{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5432D5BB00ED59A8183168F7170A9A54,SHA256=39C2D50B279B853094F5C2B26881191A344E00303BEB75392A381632599113A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258909Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.049{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E092FD12D0C2C71D4984DEE48D0417D,SHA256=7BF63EF5D10F86E3D2C610ED438F14ED8B5BDBC6BBED5C1E59B38480A705C9C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258940Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9151-6149-1627-00000000FC01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258939Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258938Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258937Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258936Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258935Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258934Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258933Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258932Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9151-6149-1627-00000000FC01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258931Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258930Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258929Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9151-6149-1627-00000000FC01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258928Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.550{C189DCE5-9151-6149-1627-00000000FC01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258927Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.455{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC7416DC498E489B37FDB33FD18BBF9,SHA256=41A1ACBEBB48C21AB247DE660EBE698FD77EBBF26B8A95C5F0B99B1AD7804904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:21.201{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6372F97670634886C64040D3DAD9D47,SHA256=45CF6D685B3110FD40094D4CEF415F4676A0492302F6E539FB5CB9CD6E6969E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258926Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.393{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4390124D8EA0A82DF106BF4CE3BD3296,SHA256=2E67C63C0F2F6DE8591C26FCFDF0F012CC3CD7906074E8DE89819A58C32E3FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258925Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.065{C189DCE5-9150-6149-1527-00000000FC01}10162520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258970Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.877{C189DCE5-9152-6149-1827-00000000FC01}24883736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000258969Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8624DC168BAA3A92D0E2DCBAFF71DC30,SHA256=702FACECDA189B3EA69FE3F7A863C1F127BB26AB369D17F64F72BC573CB3424D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258968Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786BBCE0D3486E58907F5EBC0754D5AB,SHA256=FBBB4A25A593F4AEC172FC2145A657B5ACCE59F376A61ACECA076B5FFED24186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258967Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9152-6149-1827-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258966Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258965Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258964Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258963Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258962Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258961Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258960Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258959Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258958Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258957Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9152-6149-1827-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258956Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9152-6149-1827-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258955Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.722{C189DCE5-9152-6149-1827-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000295865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:01:22.670{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000295864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:01:22.670{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Config SourceDWORD (0x00000001) 13241300x8000000000000000295863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:01:22.670{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_613C4DCD-0611-4E95-B870-A6B03FE07762.XML 23542300x8000000000000000295862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:22.201{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D332114A4D5415555AC745ADB93B7EC7,SHA256=F5DA2D50EEE5F271FD17D712C3FEE20CAF9DA15873002AC5C28441C425CE4AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258954Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9152-6149-1727-00000000FC01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258953Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9152-6149-1727-00000000FC01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258952Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258951Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258950Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258949Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258948Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258947Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258946Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258945Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258944Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258943Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9152-6149-1727-00000000FC01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258942Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-9152-6149-1727-00000000FC01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000258941Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:19.600{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7128-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258973Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:23.763{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EA40A8E433C31FE2A6C8F8261B75F5,SHA256=0CF45E7568F23C34DACBE522868601763F4225811F0DCC2E94976D14AB8E12F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:21.331{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59140-false10.0.1.12-8000- 23542300x8000000000000000295866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:23.212{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5A12B80F6F3C512E2AFB0A913ABA80,SHA256=16F3FCB65C2298251BEF5BBF7D857958DE763B3F6CDC11EA6BD740A68B4D8C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258972Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:23.732{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1B4199E842A2EF3C74E209A7BE51679,SHA256=85812BD7F6798FEFD05F78E449FEBD07518554534E98CBAA5DD6D35A66713D2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258971Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.003{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-8612-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258988Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.779{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E282CC6683411C9D2D46DB4954B528C,SHA256=D1F469C1C654EB1C63B2955BDDA11ED3C011AF8462C1B7AB347CD5153921C36A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258987Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.779{C189DCE5-9154-6149-1927-00000000FC01}38681032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000295874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:22.009{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59143-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000295873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:22.009{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59143-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000295872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:22.003{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59142-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000295871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:22.003{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59142-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000295870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:21.989{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59141-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000295869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:21.989{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59141-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 23542300x8000000000000000295868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:24.212{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B356ABAFFFCCDA023566ADB35D24B6,SHA256=118FFFD84DB21ADC44DB90C9EDA677464A80F7DC47CF36BB170D80AA3A044035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258986Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9154-6149-1927-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258985Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258984Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258983Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258982Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258981Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258980Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258979Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258978Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258977Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258976Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9154-6149-1927-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258975Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9154-6149-1927-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258974Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.608{C189DCE5-9154-6149-1927-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259004Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.810{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428E76B4844F5C980DDC77F48F1DB7F7,SHA256=349F020098F5CA9B78EF0B4C9C4C5AB135C199C9360C90E88D3503F324BCED53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:25.227{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D046E28EA0282F10A28F7DCA47471DD,SHA256=092BA8A6689C9C65E45674DD03578E2821F0646F080B49F1FCDB792EF5B35B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259003Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.669{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F143984DA6911CB219A2542E56B21415,SHA256=5B4293F8F4EEB3CEF71C46BABBEC5FC7533CFA522AD97D47F2BDC94D805DA46E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259002Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.466{C189DCE5-9155-6149-1A27-00000000FC01}34802760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259001Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9155-6149-1A27-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259000Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258999Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258998Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258997Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258996Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258995Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258994Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258993Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258992Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9155-6149-1A27-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258991Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258990Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9155-6149-1A27-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258989Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-9155-6149-1A27-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000259021Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9156-6149-1B27-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259020Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259019Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259018Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259017Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259016Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259015Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259014Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259013Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259012Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259011Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9156-6149-1B27-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259010Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9156-6149-1B27-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259009Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.842{C189DCE5-9156-6149-1B27-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259008Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.810{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7175209B3EB6CD5FF854D97F8FFDB241,SHA256=27A5DA55EEE1CCD3C9D4F128850ABEADE8F6687C8B6B9CA8B827723F351B0A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.913{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46EBA8DE2E4E6AA92CDECBF4DD7B8C5,SHA256=F1FB956B171BF22511C47353837837EDACAE86962150C84E34DDE2382269D140,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.903{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.903{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.900{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.900{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.900{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.899{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.899{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.899{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.897{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.897{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.896{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.896{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.896{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.896{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259007Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:23.898{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-11539-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259006Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.581{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50829-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259005Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.475{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9995-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000295951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A6FE3E7401E8B65B2DAD87B3F5A89B,SHA256=8AE83785FFBDC25F32A348AD6CAEB053B499AD3261E16BC8A9EB1BDF7751F55D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.774{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-9156-6149-842B-00000000FB01}80885488C:\Windows\system32\AUDIODG.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\AUDIODG.EXE+1665|C:\Windows\system32\AUDIODG.EXE+294b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000295910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\audiosrv.dll+d70b|c:\windows\system32\audiosrv.dll+d080|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+12932|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+45ff|c:\windows\system32\audiosrv.dll+d05a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-9156-6149-842B-00000000FB01}80887128C:\Windows\system32\AUDIODG.EXE{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\AUDIODG.EXE+123f3|C:\Windows\system32\AUDIODG.EXE+15dbf|C:\Windows\system32\AUDIODG.EXE+18297|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.681{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.681{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\audiosrv.dll+17a8c|c:\windows\system32\audiosrv.dll+174ab|c:\windows\system32\audiosrv.dll+1767b|c:\windows\system32\audiosrv.dll+17431|c:\windows\system32\audiosrv.dll+d02f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.259{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268231330C3E65CC1BA58F0C9C6C7F11,SHA256=9CD0D1A1C74A9BE81BF97140E473666C7BD2C4EF6D0C025F498559EF9C3B326C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259023Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:27.826{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFF5B71714198D0BD62DCE3A3D037C7,SHA256=08957A05311A5D78547221E4C9CAF274F6976DB7072BA14B1E50AAC9461577DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:27.885{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:27.884{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:27.270{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5854DE29E6B259589C4C982BF3F05F6E,SHA256=8CC6C431E67506E78D9AC76BB42A6A4B2BEC4F0D167194E4B072B04226401A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259022Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:27.200{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01BEB80C05227287C5E91493701B83A2,SHA256=2412231AD84B03DAB065BABF4D7348513A453D3655FB99E3EEBAA68631DDB45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259026Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:28.841{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB48E24F6F8B5ECC8D5E3D26F36FCF95,SHA256=18E383F565EB5791545E532995AFD7757F593D4B96F4EA50B5FAED1A19937ACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.499{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59144-false10.0.1.12-8000- 23542300x8000000000000000295972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:28.606{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=73CE7C9D78133165B9D980BBC89E7DF5,SHA256=FB9FCC2797B345A3BA1EE09C5BA3FD3FB7C4302A0C815C05AD5650B93492AD68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:28.274{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79F9D0039E99689981194CFD128DA1B,SHA256=EFDB9C92098F68E349B4B6F6C600D57CC8AD5A4DA3FE6C394390FE0FFE1E7C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259025Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:28.591{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C4032FC7A00453AB161661F6F76D8F2,SHA256=483A755383CA738D187F1A9F5C8D0ECF744EFC852F22B7C155C8B53DABEE6AC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259024Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.321{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12949-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259028Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:29.857{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66E2E38318023D08D451A1DF9D30E8D,SHA256=AADDD5C38222561C30200F3F97F5FBFF48DE2146FCB452B5DE511774CCDC4B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:29.274{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C47AC72F7FBEE8F2DC266DDF04AB7D,SHA256=E8456F16A2059F92FA9B063479F7260384225D15875C89D947D88B1F03D76803,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259027Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.775{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14428-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000295975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:29.134{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:29.134{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259031Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:30.872{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F033825788DD6C316E0C05C43AF2FD36,SHA256=90AF903B2B98057865F38624B2FA6286B6CCC70497230FC67F9EEF9DDBD9823D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:30.274{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ED6A8F9D0B357217BE1D39DCA1C376,SHA256=992BADAA17FFE578F35D285F3863320CCC42E9F102FE1CF5C343CBC7DAB9B0D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259030Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:28.181{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15936-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259029Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:30.091{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EF32CA3A6E7F30DC14A9EF95586FCCA,SHA256=96F454BF0FE0C81BF043E3A6D1B4C0865742EFC6B9EFCEF06F8E769828B78D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259034Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:31.903{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895D4D50F3DDAD2C6B7B114BC58E60FC,SHA256=217854716A31D3FE526FF6C1F5F43730287D7FFFF10FCF10437EBF0DDABD85E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:31.731{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1368MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:31.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF811A1BC363E21D6A95870E300C08A0,SHA256=CF5EEB967DE29DCC899D7229D08B412E975C22CB8A66A63CD0B64B3D1B48CA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259033Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:31.482{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE1E0EB2E1FA9CC00713AB966CA0A49F,SHA256=EF441A71E1E4708DB804EF8C8C1B1D71B8AB22DDD4C76635C1736F8D9EA9A424,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259032Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:28.581{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50830-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259036Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:32.903{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B309FF40DD8F86CFA1A99B1C1D7062D,SHA256=35C163D15740766BBEE3E426CC0A5F10B87534F8C9264C1795364ED547A51255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:32.746{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1369MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:32.322{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4DB8FD06162E2424EAE0D212E5A116,SHA256=F044E94C6C7FC69B92A4EDA0A70736A25D4BFF528BA7B377D9600A33EAE997B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259035Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:29.663{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17320-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259039Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:33.935{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66669C62514433D95FC2A78620466967,SHA256=1E375B6D72C0EA11C2DAA71DDDCAD002D65EF2D187953FC893C846BB8BEBFD5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:31.562{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59145-false10.0.1.12-8000- 23542300x8000000000000000295982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:33.328{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16340BBC75F8FF951CDBE63409722AE5,SHA256=55694B6EFFAD552518D4F5B51C68921496F1FD278881654DFC7E82844A4EBA12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259038Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:31.143{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18944-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259037Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:33.013{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B2BCEF0A9DA87CA59051ECED88F0585,SHA256=E7387373CDE801C4F36D4DF2AC0BD8024912F9BDFE9C9E51F19164F82A9483CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:34.344{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175EAB4DB03BE509CB2E9D5CE6E807B2,SHA256=3ED122E5CBB05D7D6C36424B34041DC2ACEDDD6845E868A185CBE1CACFCB6608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259041Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:34.575{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E7BADA264F37F14FB4A091B866312F0,SHA256=BF2914B3C442500D232E523457B924D5C9CB600EF44977B2D1D5DFD579D98613,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259040Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:32.565{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20325-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000295985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:35.344{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5708D4966A10D6A63EE0C2658ACD33,SHA256=1AEA17A082E984D2DDC5E8CAA85CF2A0A932C34DDB36BA7F1B9D98C5287D10CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259043Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:35.669{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A49C125855D859B59EF387D8687AFE5E,SHA256=798057DC90358AA5D8E082274C9BE8065BEB690D384332B52E8C61E6A1684F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259042Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:34.997{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5055729A88ED89D118A5761BEF08156,SHA256=239D3294875DAD1D48486A45393CD4A942A241C4D87DDCF28C3E6FD9FE6BC1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:36.360{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F384A0DA62E3AFED26B56CF37FF11DB,SHA256=21265D2A78854F8D6E0BCAFF6779AA1F17698A158C7AA4690D1A70E2CE5F1F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259048Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:34.156{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-21974-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259047Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:34.050{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu55859-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259046Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:33.329{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com65029-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259045Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:36.231{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259044Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:36.028{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD82A00A0775811FA0583497CF26B1E,SHA256=1CC7AF9FC1EAD3BD7C19F7ED6BED2E7869A262C39AB86B8A261FD273B422B943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:36.329{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:35.631{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59146-false10.0.1.12-8089- 23542300x8000000000000000295988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:37.375{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B9AF6B794736D69F0C4E509E2BF60D,SHA256=EB508B4323C8761AEE698C52BCCFBB99D47F273F57B5C301E7328F8D7C01A8A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259053Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:37.700{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4EB70C7534198694E3F8188F6479B12,SHA256=3359C1FBB2DA4A433967E2831CBCD8CFA68E46ACA2E7C9E82FF3965970FC74E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259052Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:35.690{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50832-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000259051Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:35.684{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23373-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259050Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:34.596{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50831-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259049Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:37.075{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A39A20D0A0D9A6F04574BBFF8671A9,SHA256=1D92AD870E7FF29BED0D7350180C99389BA91169EC1FBB893AF7723217A75A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:38.375{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A53726BF9B35580E0FF8CD98650A625,SHA256=916CCD8D2696ABF19E1D1DC33532ADBDE0C1FEA94BA975E9BF23A5AA98B31CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259055Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:38.843{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1360MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259054Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:38.091{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB55927BC0C04334E9137DA389BE92B0,SHA256=F9E656355ADE6DA5CE9D9ACAD77E8A889C3C447FD14683E4527DE0E288B455FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259058Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:39.850{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1361MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259057Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:39.130{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD02F9D87B0A16959A05E6587CE1D99,SHA256=7B2AE61E381D4B76663047F155BD332ADC36A05B3A7FE82845EF2025D7E33B50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:37.851{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-49623-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 354300x8000000000000000295992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:37.475{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59147-false10.0.1.12-8000- 23542300x8000000000000000295991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:39.391{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59D88B912BBC9382FD71A3AE6B931AA,SHA256=F20B578503CD1E4777B4F115FF253D3EDCE0A72FE45CF5167DB64AF2609EC49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259056Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:39.114{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70F3F8D2DB45CA316F4ACEFA0DF5523C,SHA256=8DD3DCC9AED6974E4A4EF522F8AAA8BA42F8AD0402046B234E437F52273D10AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:40.391{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF4421667C452B49E4B18B02726D858,SHA256=CD96FE111A3423B29E4E099498ADE76BC386C71770DFB7CB5B3CE7C5043DBB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259062Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:40.616{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBCE29A8B8B8B4273BF69E751A97CA7F,SHA256=EF3C9EEC1E7E45C1744453C773C98AC4326FDF7BEEAA97F803EA61514A673C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259061Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:38.734{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26577-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259060Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:37.278{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-24977-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259059Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:40.176{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA48000CB31ED9DD6470DD76E6353157,SHA256=EF14E951D67D15F00DEAA0754B3B17CD8208E75A630E6BE114408A097CB693D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:41.422{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5705D6CFF624D6E392D2860B10D83F42,SHA256=1E554FBDD8A844FDCF00AF1CA291D06860E691A63F5745D6641C1F5E04E03A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259063Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:41.178{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13620CCAA9F0D4C29EDA81192195C9BA,SHA256=66E24333AFD501D411873316D9DA713479A65375B8248513149B1BD0AD70F029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:42.422{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D609DD1494486B220509E51CFD41440D,SHA256=CE8AB021D8AE60CA0331BDDDAE5A70308B78F98258917147E7D3062B77D3CED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259067Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:40.606{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50833-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259066Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:40.188{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28005-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259065Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:42.194{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B873C489EEBA6A0086F6F9FBB53F544,SHA256=F5FC460B8313985EB98CBB1326603FCFB2229A51D12B453A953D0F30DE36340C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259064Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:42.038{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F17D5AA2D703FDF3EA3D073E45D2125E,SHA256=A566FC9745C5AEEA13015EA49EFD908874F36EC343030B7E75D4CD36E03782FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:43.435{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8F90EC92BEE8DD02BCA46E6C8AEFD5,SHA256=2112E72C475AD520874B1D809DE406AAADC0A0E105CF9BDE93BB9D0CF802D175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259068Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:43.235{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F72C6347932C66745EF1F418FE97FC1,SHA256=E5878BA993A6ED6ABE1A21042C5A5808C42F8BAD69258A184FD6FC13CB6A9F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:44.450{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E28792921CE79EF514CB2C8E678557,SHA256=DACC8EDC765423931DCDFBAE9AE5247875DE7FC6F3AF98C68F020A59111DB881,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259071Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:41.600{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29587-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259070Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:44.267{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4401ACE00F9A451C992A2EA8009EA5AB,SHA256=DE557CE481DFC1A61069947E07B45D7AEA216F129B3244A6C3C026B6C848990B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259069Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:44.017{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD88C7C36E1D52B1D7DB82733CEC0471,SHA256=BEB042AC876B79FF111EFF55ADCDCBF35AE55529F49BEBA9B361482A8B1312AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:45.466{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936DAC878D519BE699F27AE7AA9762F5,SHA256=69001A511AB6717E8BE09209939CBFE4F8244C7074523D53B68C9013E9C8692C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259074Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:43.588{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31400-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259073Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:45.392{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=912D9F29F44EE9A7D22C2ADEBA03CB8B,SHA256=AA3D54B764DD874E0B9C167F9F38EB16308E781EF7CD71DAB8A8FB5EE8269DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259072Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:45.267{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8581772694A71191BB451468DFF554E,SHA256=B8F27C39DCE4458643BA17DF13CD739D78F7CF6DAB4B6B029242782E53E1C054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:46.482{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26821E96C64AE5DB6F9E8928B5C78613,SHA256=39D0EFE7005E6252E9AC89E19828241487C995C99142EF11D8C31B29E07B0B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259075Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:46.282{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3B03E6A61DFF6D2529CDE39C02A696,SHA256=FDF8CA31C1483FCBA07D9F44C26FD5362A35B1CCA19A9E9378AFF7A2C502B67B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:43.440{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59148-false10.0.1.12-8000- 23542300x8000000000000000296002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:47.497{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93767CB1EF8679F7F0BA5C5D55D86527,SHA256=7588DC81E40D774D5436407CFBA4E6B427E59B4A2A7885C7F9B2BE94F5B2650E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259078Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:44.995{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32978-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259077Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:47.298{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36FE84069221067391B1B7C2F6FB57E,SHA256=2830E23C743CB97E7B8B6595A4864DCEFC49D4F873A19BFE7D69F561FA2DE93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259076Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:47.065{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C07A6833E0F10F745D35F3D922FAED0,SHA256=0006A1ED488234CB3FCE42F910C49B252A603962699848114B11A1ABA19EA459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:48.513{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1948EEC965BC1B5EC12BBBBFB20BAC7C,SHA256=1D6D627362C08208A0C34C9092BE2B7C6F93E679718FC04F15A7459B173174BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259080Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:48.407{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50754FAD3A4CBCAD55CD0892F3CBD0AD,SHA256=6E352E2CFAA9BF937986C4A513D6A9FB8A086C2CE5CE58FCA163C34B584F2091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259079Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:48.313{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69BD4D1AFBC7BABAB56286014A46106,SHA256=B7E391C168C0E63314800D320713C4E815C71A784C0977577F9824C129DB43A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:49.544{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3221E38A57C1A38E45FE9B58FC4F2D7,SHA256=CD8E4F5913144DB3B1E5F0EDA540F4CB06E926E6640E0669B2B84BBFD2CEC74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259085Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:49.845{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94E6185633609D99B3872CAF252DB442,SHA256=88403FAE9361FE0C1A1F4F1E8312C47E59F8CBA20F970BD0AA7CD0CD861DA4F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259084Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:47.959{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35915-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259083Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:46.647{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259082Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:46.616{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34392-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259081Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:49.329{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE16428B1857255698DFA2FD78E5B1F,SHA256=B81DB8C686C6B71CA564FCEA9A553FD83FACD9A70C2F07337AED6D2E0F1FBA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:50.544{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F56DC5CE0BFE004CC16C53FA00F7C7,SHA256=1FE88853BE27322C222F1836693CE73675D6E2B825DD949E1C35978C34584FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259086Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:50.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4748AA8955EA4E5B0DCD199CC08B7F3F,SHA256=DF9C5E4D5546EA3857F2B5656A71436FB28753371C79079FFA00BDF09A3AC02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:51.544{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CC37FC4D7484546A935CC2FF5FF56A,SHA256=0FFF5EC1727EB357AACF1A1C78D45FBDC0553B677FCE8D6FBADE381B99A44DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259088Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:51.376{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C1B1D5713820E8D19FAD953D055C9F4,SHA256=84955235679C398ED141130BD8A6CA8C10052308CCDAEE7A11F015B61F3832A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259087Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:51.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E17B3EF260DA6C60DA4A0774ADB56B5,SHA256=4CC35608DA68DD7D08B9CA56542F230B74CBCD730CAE400C7483EDE9F92A5061,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:48.581{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59149-false10.0.1.12-8000- 10341000x8000000000000000296016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9170-6149-852B-00000000FB01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9170-6149-852B-00000000FB01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9170-6149-852B-00000000FB01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-9170-6149-852B-00000000FB01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.560{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF35B4A81AC58BF07D1310CF70EFE96,SHA256=DC550429CF4A9C07799C8FC6A60A6C89D1B08F594E9079BF67315F5D875953A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259091Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:49.474{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37376-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259090Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:52.688{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E69DB68990C74D1F1E95CD3C6CC7A64,SHA256=F9914BB72ADBDE61383ABE5E10E814D2C44B84F3A57304FC0D2D1D05B88CCC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259089Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:52.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CA9E8DD64E4A6372A69E80C3785FAF,SHA256=F3FE2C38F3DDD298FF1A7CD573DB69B9D2BE7BC599F6F4C45A1890DD1B21556B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9171-6149-872B-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9171-6149-872B-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9171-6149-872B-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.920{5097E253-9171-6149-872B-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.576{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE37745DBEEF821C60665EE6E312C12,SHA256=8E64AE44494CE58D98F3E2FD1A2F985B55A71E906A6A95C760218E3B46E85757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259093Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:50.925{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38878-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259092Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:53.360{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AEA1F90D33BD17B1D688F0C73E3E5A,SHA256=4B1832BDB7B6F16186666E9D553896BFF032BA7D4BB1BAFB965907550555B2E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9171-6149-862B-00000000FB01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9171-6149-862B-00000000FB01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9171-6149-862B-00000000FB01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.248{5097E253-9171-6149-862B-00000000FB01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.732{5097E253-9172-6149-882B-00000000FB01}65806368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9172-6149-882B-00000000FB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9172-6149-882B-00000000FB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9172-6149-882B-00000000FB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.592{5097E253-9172-6149-882B-00000000FB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A7E808912FDFCC01394810A638A5BE,SHA256=4C5696143936B4B7F0DACB9B993ABC1906C2318DA09E6AAE665276120D8D14D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259097Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:52.538{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50835-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259096Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:52.317{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40323-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259095Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:54.376{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A6954C148B34BC0EF5FCD706E97331,SHA256=8A327F4C59B17928D02DA1246C5EF09089B9D840A4DF2B13351C5E0BD21493AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.060{5097E253-9171-6149-872B-00000000FB01}13645296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259094Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:54.204{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E64FEB622C4DD64DCD4BBBFD00003786,SHA256=3B9384B3FBBD1A71184A193182C899F441395B592C6448A89DCE3C007177CDB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259100Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:53.818{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41842-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259099Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:55.626{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7F36AEC9111DC5B91F8470A70FB6D76,SHA256=2AE3BB74BDEF9E94EB49D5F69B664B3531821DC6C885C8380344C3C929427572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259098Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:55.391{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE140358FFC4D129CE4016940F33312,SHA256=E5AE8B13A867B2B2C3E7410D7EA40940A92576DA7C209AEF52B14B4C4310EE3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.919{5097E253-9173-6149-8A2B-00000000FB01}7206788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9173-6149-8A2B-00000000FB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9173-6149-8A2B-00000000FB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9173-6149-8A2B-00000000FB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.780{5097E253-9173-6149-8A2B-00000000FB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.591{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FE682E52A2B3FB36B42A2F20B495DB,SHA256=6E5A37F7272EF63971931BBE936E682B23194C63D02DD3EA2CDDFF516BB76A96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.435{5097E253-9173-6149-892B-00000000FB01}42921496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9173-6149-892B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9173-6149-892B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9173-6149-892B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.264{5097E253-9173-6149-892B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:56.607{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C6D52AC7F66FBEB2032FE7D0633C34,SHA256=B799C79545C34069D432C1BE9F2F5EFFA267F30584D0AE5FEBEE8DB73E7BC4AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259102Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:54.331{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com63879-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259101Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:56.407{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F86CD146DAB4A225FA13DAF16549FF4,SHA256=28EC827BB6606493889BE42CD3E3E9CB273CFE3DA3D83918E019F88E64F8DBA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.503{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59150-false10.0.1.12-8000- 23542300x8000000000000000296066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:57.607{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4768C0CC907FDE9E3F4FC0E1F6051B8,SHA256=9F8924670351F8E34671DB626F81B81CC9BADC392C9DE7F0A63D683A247847B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259105Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:55.185{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43266-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259104Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:57.423{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F134B4F380336459E7180438A5AB13,SHA256=0AB1A8EE7BC88F9EEB76656674D09F3688EA193105E327DDA34F76CAF8137CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259103Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:57.079{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=823C7E1CE2C805244179EBF7C0DEEDB4,SHA256=579BF32C527F252E7E47F835E45025AE7AA6D542E4665D9B4F9D71ECB87A9FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:58.622{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA94BA4C24973409B7D7905DBCABB2D,SHA256=14847C0C38A3DDA36A0AEC9EE5B69A9AA77699A82CA5D78032A04FAE7E99404F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259108Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:56.799{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44884-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259107Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:58.673{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7000D1BC0996A9A58B7FDBA86AAD216C,SHA256=362995561FCB4631B48EB3736D17CDC12D235C758C5A1BC9298C4A42C53BE303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259106Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:58.438{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BB06386F0CA5A0023AB5CC08381E56,SHA256=852D302749238599E33459F60782EE5CC864BB4D959788077E3D75B73DF4BBE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.816{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59151-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000296067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.815{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59151-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000296070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:59.638{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC0B0D4954F2FA95CA550831BDC59AB,SHA256=05FB3D166475DB9E09712D0F7E843CAD4FDDBF03463A856A4A25E760385848F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259109Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:59.454{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24755A56C40520AA657BA2530E9DF916,SHA256=6EF0A03C8F1EE4551F5D8E8F836D17F6C32739C755A2E00CCDFF4FE574B0D070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.638{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD764E2E145336F8570A5FDE76C8C1C0,SHA256=86918F72F8D882D3DD14AAF3BE086F84CD371B700B8CAE787A139E10CB2E20D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259113Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:58.569{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259112Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:58.240{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46334-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259111Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:00.469{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1F5DA199DEA6E04D34E8B7BD09B375,SHA256=D2877D7372AE3EB108D0DD2A079DD28C73FD5B419C9ADEC8270117C4C958CFF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9178-6149-8B2B-00000000FB01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9178-6149-8B2B-00000000FB01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9178-6149-8B2B-00000000FB01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-9178-6149-8B2B-00000000FB01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259110Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:00.173{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6D4503474ACF307F195DE9606B25AAE,SHA256=49F7D23870890E63B0CB508609AA909A54DA68DE89D8D760AE56A830198C7C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:01.685{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE244652B35627EA64F1EB9E7D565E3,SHA256=6C2C24FE5E0C4105C4C47F7194701A4099BF9A96EFFB42278E800523A24D371E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259115Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:59.813{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47918-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259114Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:01.485{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED42A366DCA1482BD59D10D7D8C38C7,SHA256=ACBE425613E059C69AB2E5397AB0F95839484C0D907B7DD2CA8365FB20D30F7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.409{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59152-false10.0.1.12-8000- 23542300x8000000000000000296081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:02.685{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13B89D24B489B66B8E57B0FB5687639,SHA256=0A1E3B771B0D60DDBEB7C858D598D536BD860FD80D591404F63316F481E7C03C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259118Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:00.163{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48287-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259117Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:02.501{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C04FD8C1680A6F8B2FEA8E9513B697,SHA256=9330C5EEF069F5DF39E42280E0B65FE79309DB64A55C57FA3B6987B78A303B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259116Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:02.016{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=351D702CAEDAA5F671885145F5FD73E1,SHA256=AA51CEE8C16D055A179E392E5DF79215E0F90EDA9A621A0E8D5DD6F66D4ABD32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259122Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:01.569{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49814-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259121Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:03.505{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D79E49C4265CACFCD36EEEF9539CD1,SHA256=2FE9E84857E184E4EC223A14CFDB8B69B59DBCD50F862B0873FEFF04A0830445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259120Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:03.505{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5A07D31E6C726F4AD1E1F975249CDF5,SHA256=0968855F0BF3C4F07EB6DD3F5FD79EA04A8DC26792EC84621976AF4FD2D92B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:03.720{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969D83DB298426A172C88DFF2E9B408E,SHA256=FE3271CC77844DFE2DC93BBEEBEA19CE0234D1C2FE2F5F03DEBF01E89B1AF05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259119Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:03.192{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FE31B5D2DD9268459D9C6E82D490B1B6,SHA256=D13E9F91E88827389B971F50A1B0F96CE5F48DECDE035CA517936DDC2F607F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:04.736{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DF11B117C70F4EFCAC08BC04308EF6,SHA256=B4A81547B00648D899F0E85C95185EF8FF07D38314837556E52B92AB4F7DF3AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259124Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:03.118{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51361-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259123Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:04.520{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAFA541F42D6D8B91101E0E8126D38E,SHA256=7C1847EC6733F080EE8A79A2C3683987FDD37E624D5A74AD2DBCCAFE9B0C3236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:05.783{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D1A35AA133A765288E0061325725A9,SHA256=C6FC8AC5A5A1BBD2F8E67383E6B336CA2D3B5C4A2F7CAC4832E354718241BF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259126Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:05.536{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22C73580C5064029B115EEEDAC85CA5,SHA256=B7315BA7A57FBCC9A7444FEAEED653DF1CBE4DA77EE31C357E698379836AF8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259125Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:05.067{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54157BBF781F881683DCA31CAE332123,SHA256=8FDB68E6342FBF257822C76C95E4648D8F9C86306E4BAE22250020896024AB8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:06.783{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0640AE32DA4426627F4F2167BD3FF5,SHA256=9D52AA25D4FE018E787A50AC20342A82E1AEA84334634B1AFDB60B1420C9105D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259128Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:06.692{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=937364D5BA37D0167613698B9418568B,SHA256=C5AF20D8244A7A9675374C27080EF3A5558F7CAE61F49460D4690663F7608BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259127Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:06.551{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A0AAF8D2698E02E50BAD3EE581F970,SHA256=BF22EE3649917D31B8EE3F36A301EF0B9C0D58DBA5AA4B7A304944E548D146F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:05.413{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59153-false10.0.1.12-8000- 23542300x8000000000000000259131Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:07.567{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F8733BF9C8D07EE181AD2E57DB0F88,SHA256=4B13D0A8C6929721248B4B8452265CA20D146D97A8F195856FF4E6981660FAF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.732{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.732{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.730{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.729{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.729{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.729{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.729{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.728{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.728{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.728{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.727{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.727{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.727{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.727{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-9156-6149-842B-00000000FB01}80885488C:\Windows\system32\AUDIODG.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\AUDIODG.EXE+1665|C:\Windows\system32\AUDIODG.EXE+294b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000296108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\audiosrv.dll+d70b|c:\windows\system32\audiosrv.dll+d080|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+12932|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+45ff|c:\windows\system32\audiosrv.dll+d05a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259130Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:04.786{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53007-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259129Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:04.557{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:08.871{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A497BFBA6F6BDB4B3F3C57A4C07BDE7,SHA256=E8121E3FED4944E69AC21D2E5F448DBCEB0F1C07D87E58807D82839AF19E36A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259134Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:08.582{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E07B54C5155F0A0155141C369676AE8,SHA256=FE124743B30E07CE0B2CE34B909A0C2D5AA6AE72730AE257B6EB8932A8634209,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:08.721{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:08.720{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:08.228{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294D50ADEA436BE01DC8E884ABBA5D36,SHA256=8BC646ED42F22FAAF8B3B46C0D44527998716DCDB096F7A29FEEEA9EB88DA823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:08.191{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9A78069749CF7A2D47705DC5D24292,SHA256=326B9C944E20ACE15FDABD50182C66D66520DD4542804B3B0A3D9D0C907772C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259133Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:08.426{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C346801C23FE8C13248FD88B51CAE05,SHA256=FF7FBDF632B03E3097DA8E6F50C87F0557007A2125F8EAB7E2502457FFF304C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259132Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:06.353{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54615-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259136Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:09.801{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BE2DC793E434BFEF02B24BC7C4235FA,SHA256=9A266E1611AF9E18AB1C58651F7F56DD975C4FD8AD8783690A7B905248AD25FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259135Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:09.582{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EF885DE8FB4C1AA6A7D8586BC39A1E,SHA256=38FE87347218A68E676AD4BFD24D6C9E7A0B90B0935678B5AF096EE63E792C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:09.884{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A44BE3D6E3761BC9F68109CFA15F842,SHA256=A5628B049E2570515808235B11209400ECE71FE07E6E5CC6B2EC084F2F4EE7C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:09.482{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:09.482{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:10.884{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EE4187AA809AEF4D144253F20CAE76,SHA256=4DC2C88CB1A3F73F3BA0B3CBE102D6E9C7AD382E3090DF66F7E7A5C3A46B532F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259139Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:09.380{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57818-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259138Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:08.001{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56295-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259137Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:10.598{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C28519E423B701B561D4C092E2A2591,SHA256=888160DE9760CF34F848F7A84D9269D868270F186A7D6F370AECE7812CB82297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:11.900{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1806675C38859116B74D5820F04F27B,SHA256=5F573E1AA6034709F69F403B05B2A380D0FB3ABD29E308A66300B7D05441E984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259141Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:11.598{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7504DF1AC5FD65FE71496A33A23BE4E9,SHA256=C8CEE393AFF1E2F949A61F2CEA36798EBBF14C030F887CAB5A122F351B9C8044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259140Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:11.348{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C094D0BCB048CA354AF44525A1208C6,SHA256=B4CC19ED4E77E1B33374C5B3EA0C3302E2A6F785A3AA633B63CEA1A878839A03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:10.452{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59154-false10.0.1.12-8000- 23542300x8000000000000000296175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:12.915{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF94BB535761353F81F0E4113F73C67,SHA256=44AB1EE128C054527F3EF62C994750F2E58C70AA25E61B7EB3F7E9B46B004372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259144Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:12.832{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE9D6890A0CCDADEDC4CE08792F621B6,SHA256=71AFBDA2E25D13752DB95D53B66DFAB334A79AA9D943731C7F32028A5A235A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259143Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:12.614{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA223C538A14760CE4BB1EE0E30FDB83,SHA256=4ABDBE3D81C503F053E566519EE47FA93D023E3D70E5C2305D43EB1B954B25A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259142Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:09.714{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:13.931{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CE3F2BD7CDD40288803C6AE7F83D84,SHA256=577CC13BBEDF398E155BA40BBC81304C360B3946A1F0D025CD872D2BD03C7C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259146Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:13.614{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4092BA7AE7C96B3242F95466F8FC2667,SHA256=E4ED9342D59349E1A94BB9C5BE3720D359FD15CC04CC1074D4CD3E81770BCF6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259145Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:10.942{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59347-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:14.931{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B0CDE08A0CDB319E2D4EE1A3CF51B3,SHA256=89897CDAE2864C9F08D569E74899C3021B607D809202C99221860D12FFC5D9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259149Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:14.629{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5459C4D6FB8326BBA627DB6FDF70631,SHA256=2FFEC05EB8674DD570D37FC21AF21EB388F49C34E94DA508428C57107BF2F861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259148Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:14.207{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B63364F5029FAF50E3965C8ABE2AB2B,SHA256=EA00C034CFF721A1E258AA9FCE9ED2DF22062B4F0D75AA0E96FE8F6609C98966,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259147Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:12.406{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1976-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:15.947{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1900D7504ABCFE536D8106E1313CE2A,SHA256=FAD788619FAA9A9D1D9C63567B7521162CB0EB1EE8EBA280EC944557E5DAFB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259150Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:15.645{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C7E288350CB074626D96C03431165B,SHA256=C4357B2D55D356DDDCB4AF02816F46D63ACDD986361BE8F408DC00A8E3D19A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:16.962{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7160A0BE3752F231CDD0FD31129BAE,SHA256=AD45A07319C190CCC2CD6401917A319706527C9332EDF5798F5608DD7BFA41EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259152Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:16.660{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BE9F444942CB2162ABCD4645C02BCE,SHA256=C0FC17667A7B40B46E46E2678CE6F1E3A1A8287269CFA2CC98747AAAD62B437A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259151Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:16.145{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E98BFCA075255459E625EDD830E403DF,SHA256=94CEC3FD616E447173C202086564DE3A3227AC3AE571F2E2D47DF2CF638A8711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:17.978{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29359D5B571132C551FA2F20FAB2018E,SHA256=4AD9F89AC8E4B56EDD1184517E185AE051E184FC9C4B0226DC0F07FC7CEA71ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259156Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:17.676{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D688FA36DB497AD85A796416E956A85,SHA256=707268C3E4D2D8142416F7187B8B1C1D58F3C2C00D309F554E9D7F4AAAC4786B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259155Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:17.395{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2564D86C9FDC8A6E03BF4FA84D4D89E6,SHA256=D6E2B8BB24E0A6CB455F5C657787329B09DBAD36232AE3A844EE0B861A7250A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259154Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:15.479{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259153Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:13.901{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3436-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:18.978{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F372FBAA2B6CDD940151629FF53D55,SHA256=AA197DC28697547DC5042F061AF632B32B0D038E0CAFCEA84C8120AC7B7F8D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259159Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:18.676{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A91FF923F89B1CCD93F699F2A2EED9,SHA256=092A4A1B6EBC1DEF55BC5AD54C49AAA25C0B80C6B51A9C0D7CFF2CEC19F0A1E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259158Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:15.778{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-5214-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259157Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:15.701{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com63203-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:19.994{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B53A2D587DB6BA30526D1BF72B48B4,SHA256=5E6686A4445265D45F9994F0049ADC0B0906959277CA9661DA8CD98734B492C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259161Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:19.692{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4B2B66BD8071A47BC0E4A84D3A44AA,SHA256=63783BE43188A98985B49F84327369F57131D804BAFB3F3961F6C66D546791EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:16.421{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59155-false10.0.1.12-8000- 23542300x8000000000000000259160Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:19.317{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB92F2173B3F6B07EF7ED914343BF987,SHA256=409D86C321AB6655C288C556E9888D6407CF416190BD9883D22D64D6FED2AAE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259177Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-918C-6149-1C27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259176Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259175Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259174Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259173Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259172Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259171Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259170Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259169Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259168Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259167Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-918C-6149-1C27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259166Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-918C-6149-1C27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259165Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.849{C189DCE5-918C-6149-1C27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259164Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.739{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA14A25A1E4F727248BF76F446830C2F,SHA256=6DDA02F9B451E0E6AD724B8AB74442811DEB04FF444DF35F731D595E0CAAB4D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259163Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.692{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C9EC50660BF17CCE2B1E34C5F84F1C,SHA256=7492F2A384EC8ECEA24B8918335646A71138620288939F6D7E4709876AD782C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259162Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:17.227{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6766-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000259206Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-918D-6149-1E27-00000000FC01}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259205Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259204Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259203Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259202Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259201Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259200Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259199Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259198Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259197Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259196Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-918D-6149-1E27-00000000FC01}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259195Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-918D-6149-1E27-00000000FC01}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259194Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.849{C189DCE5-918D-6149-1E27-00000000FC01}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:21.009{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0266BDD12B9F620A81FD769E06AD2756,SHA256=2441117C6C330FCA10FC00972604CB9D23B5A23434125EA6F3D5B3A19E0A49E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259193Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.567{C189DCE5-918D-6149-1D27-00000000FC01}32042216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259192Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:18.929{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-8367-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000259191Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-918D-6149-1D27-00000000FC01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259190Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259189Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259188Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259187Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259186Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259185Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259184Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259183Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259182Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259181Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-918D-6149-1D27-00000000FC01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259180Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-918D-6149-1D27-00000000FC01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259179Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.349{C189DCE5-918D-6149-1D27-00000000FC01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000259178Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.098{C189DCE5-918C-6149-1C27-00000000FC01}10283480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:22.009{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A60FBFCBC32BFEEB86B9A95882A8BFA,SHA256=D1732FE7C76FB94EA380270030D4C5AB432618343F87E0FE725EA1F819DF5961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259221Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-918E-6149-1F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259220Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259219Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259218Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259217Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259216Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259215Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259214Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259213Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259212Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259211Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-918E-6149-1F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259210Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-918E-6149-1F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259209Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-918E-6149-1F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259208Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.020{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735AEF399FBF26531D5F48EACE74586D,SHA256=902B51FE44449A3BD4C8F83C334E57EFB8A16CDB6624EF6602E20AF0C15940D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259207Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.020{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA8899E84B479A9B76FC2C1273FDC3E0,SHA256=2B86111E7FD8C675D643325903B64FA4541FD1DC886C566E466FD4B30D89FB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259225Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:23.524{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6876A015FA449FA481EAD4B43E383B6,SHA256=FFFA8552F5FEA50254F627FE11BF50774161686BA965A4948716F09CFA2E999F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259224Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.667{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50840-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259223Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.371{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9954-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259222Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:23.149{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BB43E16FE60399BFE69D400F23C905,SHA256=C6CD5D59346FACE0407E3EBCA38DDF616262D5BBE0A21AF3FB06869AE4A8057E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:23.040{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947DB9E62DCFCB33CE4A57B51F3E183D,SHA256=0523EB832B2B05C67DB46827CCCF783D0ADDC28BDB7429C68414245AD713C983,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259241Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.818{C189DCE5-9190-6149-2027-00000000FC01}10001876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259240Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9190-6149-2027-00000000FC01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259239Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259238Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259237Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259236Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259235Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259234Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259233Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259232Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259231Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259230Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9190-6149-2027-00000000FC01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259229Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9190-6149-2027-00000000FC01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259228Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.603{C189DCE5-9190-6149-2027-00000000FC01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259227Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.131{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-11697-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259226Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.165{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE074FE49AAA9076C2CA7B4A73B70E10,SHA256=22F3664CC23E7BFF2CFDEDF3C666C44A9B75F599C4541898E5AC9C9E65025AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:24.069{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FBB8AD593DD0028E691A11640DE7BB,SHA256=26EB36600A0D263C8DCB1C6788F8D69D3D54268D7A54616BB81397DCD8C23B2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259258Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:23.552{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-13236-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259257Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.540{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDB0BAC9BF9DCD3003856A3E25E3BA8,SHA256=C9BB75CA8C3E52AEB3C21B2A9D7283DA2E6FBCB5BF5CF0A46C9227A1CB542F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259256Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.540{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7740017435CFD96BAE8E5A4C2B6791E0,SHA256=ACF8E56C6457CE8B0C755805E73E56FCCF38525910EA9355A6E04199FB8FBC5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259255Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.290{C189DCE5-9191-6149-2127-00000000FC01}33043968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000296190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:22.358{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59156-false10.0.1.12-8000- 23542300x8000000000000000296189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:25.084{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2E8C1A5386493E03CA959C5DB221CC,SHA256=0B5A5DDA81FD9CB7D38EF78EEBE46A952A2F7CF97EC2948032019AFB739BAA8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259254Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9191-6149-2127-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259253Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259252Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259251Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259250Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259249Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259248Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259247Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259246Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259245Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259244Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9191-6149-2127-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259243Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9191-6149-2127-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259242Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.104{C189DCE5-9191-6149-2127-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:26.100{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BAD5604A37116855643AF586F2BFB7,SHA256=1892EB1D3EB7E08CDF78B93904CF842C23B6CEA35861094604B3BB2ADB40DF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259273Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.930{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D036A2DCD2ECA56E2C2CFCC43D98D4B1,SHA256=68C86033CC71121E793CB0AE0D599AB913B42A1C90CB3EDF61D95A9D20C3D254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259272Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9192-6149-2227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259271Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259270Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259269Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259268Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259267Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259266Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259265Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259264Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259263Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259262Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9192-6149-2227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259261Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9192-6149-2227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259260Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.681{C189DCE5-9192-6149-2227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259259Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.305{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812CA0D1376E0A076511194246542230,SHA256=807E6BCB6527B30B85B579AB74958EA7FAF6B88CDA978ECF43EB8A195DC23125,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259275Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.040{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14729-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259274Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:27.321{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2DC60C258A2369ADD5C45538EEDDE6,SHA256=9FE8FF4AA70ED71A1AC4D581B6214389176623460A6B04608AE54A8A137CAB1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:27.147{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB1F86075D2CCE1DA2F08C41C17F5FD,SHA256=587030122D72FC5F93DDE2E7BCC136CD8C9DB7BAF8F56B5E81A9B0FC2C306BFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259279Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.702{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50841-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259278Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.497{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-16250-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259277Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:28.337{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69F6A9E55C3C354F1ADCBAC777C0675,SHA256=5A56EDBDED48675D009F09E1A99C8D84702B0D2B5B3FBF0D0AAEFF58A4C82BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:28.616{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DE55538F90FC748C52580CC26BD211FE,SHA256=7B6DB1746276719839940E42C5EC63EE22250D29B88415D8E1B31AE0570F170A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:28.147{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70569973F185F77C5FDCF0DDB75F4E9,SHA256=82C960E4F2F5DF5E59A00699E2838C2A174CA927862A858D4FCCDA7B68B13577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259276Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:28.290{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=761D8329F902551E6E4AFAB1D62A772B,SHA256=D517BF9161B5D3A8F69BBAF1F55A12B9876A8899B23EEA43278260A39CDCEAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259281Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:29.962{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C7FE63DD2A29F33925080A6FC9CBD8,SHA256=45B853E3A086E3104D59A73187D5A55885BDE4977CAB1A0361E66BD6D030117A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259280Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:29.368{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854ACECE6AEAA404944035218A504879,SHA256=7FDDD39AA5F18FE05A64C646BEA6EC790E92245F3E96CA09739DD56F8F310AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:29.210{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5483165705C4F1CBD349FC8CDA66F6,SHA256=4B065ADE9E8E7C9137F78233E8AC2E1B6063AD9D7865471DDD4DB08BABF038C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259283Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:27.901{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17731-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259282Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:30.415{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B98A55DF413E53ACACFD39E1C4BA898,SHA256=3A90CB076E18A65A3A4ECD220FCA4D341943C9B3BE2F375AA03498399F9DBB7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:27.574{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59157-false10.0.1.12-8000- 23542300x8000000000000000296196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:30.225{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B89B6DBBA30F321363658AC411A1D26,SHA256=2CD67195659A7747CD8EEF3429F10855123097301BDDF3D7B6981C1BAA699944,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259286Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:29.622{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-19404-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259285Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:31.462{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C981376D877166530BB356192D23D4F,SHA256=5FCC48A2AB57436D2D1074BA116A615F86885A60257CD7C2F68598277C555A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259284Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:31.446{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1A39690A27988F89F83DD2DE8AE3E2,SHA256=697BF3423115E2357353537A8721135ADD022D053377520936C481FA60981C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:31.225{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C207017BC31C65C7A57003DC02C917E7,SHA256=7013AB13A924BBBCCE0BFB98008C98FB0004CF0DC8ABD3BEDD1E4C99B9B85EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259288Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:32.946{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38A547D2E4A3B0CCFFE0A7CFBB59F803,SHA256=79D9AB3B3BF38989728BE44718EC86348ADC1BF3388F628A51F4BB7AE8E96699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259287Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:32.477{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782DDEADE151EF29892237FEA59D77A3,SHA256=A6334D2759C3418334A141C54D6932FE48A2A533EE9BA3AC96FE71B4285FBA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:32.256{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5822BABB12AE0841A9F0DEE2AB20F7,SHA256=7412C39D1B37E45356181EF87B205E8200999E0795ED75180812571F94A28F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259289Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:33.508{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5CBFC756D7E52B4BDB7B2369B65BB5,SHA256=4E0C549DDE1140A6B8FF8848673F71FDA33B68AB1843560D8EA98569B632ED04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:33.267{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED30D9E15E683CF529C68D4747B26A63,SHA256=ECA544FF806A746832E260FC94DA1A1C8590863CF0BE221458B703E90DD18072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:33.262{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1369MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259294Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:32.687{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259293Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:32.496{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22506-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259292Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:31.046{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20945-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259291Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:34.524{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95B64EB0DDEA862F8F76B1E98DB534C,SHA256=EA69C93BC5DAB30B4B2696A5334E676213D1511C69D776C34D54D7DDC560B4B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:34.277{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC3A4D286323933EAE813FEAA41BB72,SHA256=6131021EC323505E582B446B729734FB458B5F522B1CF7B6F0DDE9CBF18780A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:34.276{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1370MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259290Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:34.337{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=354E98F744F182D714A521795B07EB61,SHA256=579E1C4623245C8D67BFA069BEE3FC25C44F5C64233F610F63501E2668329ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259296Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:35.727{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3623EB8D1A73209B8649ACD69D8333CA,SHA256=28F2D0464671E20BD1B35D1C1461F7654E6B7FD65E6FDB47A69D815AA311D060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259295Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:35.555{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0606D5CBA909DFD28706EA454B27E6D,SHA256=41C27AB6EB8D68BC3C626115D9725A859A8E1A8B8FD2BEA649C297562AA1B08F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:33.436{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59158-false10.0.1.12-8000- 23542300x8000000000000000296204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:35.308{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAE87A9ADF0B22A720842F7FCA619ED,SHA256=3EF1F2DCDED8E7BF3766D03D7EBE7441AAA9B5B4C3B7903262B114B7223EB4E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259299Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:33.964{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23958-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259298Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:36.586{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDCDFBDCAAD2296D1CEAED094CC52C84,SHA256=FE538D1AF8B9C145F7AC9F45EC8E474CDB65746E8D391865FFC8A8FE9EDDD466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:36.355{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:36.324{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EA14E5164D3D8471E4CD36423ED168,SHA256=FA27F83CC51E51EB7271A6CD0B6914E3D258E04B94DF3597D409A71234B2DFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259297Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:36.258{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259303Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:35.718{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000259302Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:35.279{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25415-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259301Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:37.602{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2E1835685BAEA54120525C76ACBB5E,SHA256=6520F4D432D73C386DE17A3960CD1FAB739FAE83DAD1B607FDB60B5EE835CEAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:35.657{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59159-false10.0.1.12-8089- 23542300x8000000000000000296208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:37.339{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A58ECDF3BC5F0014D8EC5234181A07,SHA256=CCCA1D425E3241AB2A4E8865B3AE2840826F5B074B3C4CF99B387AAD83750FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259300Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:37.274{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=050960EE6506AC6D1DE7FA64E84C49BA,SHA256=F1A6E8D519652345FA1C079D7485ACBF1FE0F872BD1281B5B506358F307A8389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259307Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:38.618{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5ABDDBA8525AFAB20B7B837A80D6172,SHA256=A519F93A1572D4AE016F38562585F561828495C21BBCC48AB6ECABF07F07A305,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259306Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:36.826{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26979-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259305Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:36.691{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com62147-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296241Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.558{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5E2A54928D4300A43C78E6C0DA621A,SHA256=2A5443B0E7802D9B35ACD0ABCD71BF25AF38CC664741B23ED1148FFF9C7AE581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259304Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:38.415{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F39D2E424B312464AA4CB9BB9C28DF83,SHA256=4748322AE80DCB9301793C6589767F00E927F10E7766B541541776F02778705F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296240Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.199{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296239Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.199{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296238Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.199{5097E253-8792-6149-AA29-00000000FB01}48164044C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296237Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.199{5097E253-8792-6149-AA29-00000000FB01}48164044C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296236Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.183{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000296235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.183{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000296234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.167{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.167{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48166104C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48166104C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-8792-6149-AA29-00000000FB01}48167040C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-8792-6149-AA29-00000000FB01}48167040C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259308Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:39.649{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A368FA0F639A827775C032A430456F4,SHA256=6A6C644678176AAE8251A6D846F308CB1E41C6338D65FF12459B7790F41D7AA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.996{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=34AF723733FD361853C7AD07BA73927A,SHA256=EF3F246B2729D6888CB7AACBE82B25825F1E46654A72D2C4BFDBB9355B5E18E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296248Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296247Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000296246Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.808{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296245Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.808{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296244Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.792{5097E253-8792-6149-AA29-00000000FB01}48163452C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A5CC7)|UNKNOWN(FFFFEA35CD4A0351)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000296243Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.792{5097E253-8792-6149-AA29-00000000FB01}48163452C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A5CC7)|UNKNOWN(FFFFEA35CD4A0351)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296242Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF87A88FA3C4D7FCD6D0104265E80658,SHA256=CEF66D62D703C019796F4DAEBFE340B9E43F9095159592E9FDED9C45A06A41CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.532{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59160-false10.0.1.12-8000- 23542300x8000000000000000296272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.824{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CA8F1F903E55F831FB9AFDDE370CDE,SHA256=387E1830D0DBD4424EBD6DFF0A23C756901D1C5AA938941A75621DCCEA7FB249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259312Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:40.717{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA4C6525442852F4D922D1D966BF7AE,SHA256=A95311D235C2A9623E026062F2DA274872F5435C2349F68BEF28D629A7E09E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259311Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:40.670{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2E09857CB2A7E766E81F45983864D08,SHA256=31C28E41121904EB50DDA60E89B523ADC513437C4D902BA39D22CF65CA6BBA86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259310Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:38.640{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50844-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259309Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:40.372{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1361MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000296265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.042{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=34AF723733FD361853C7AD07BA73927A,SHA256=EF3F246B2729D6888CB7AACBE82B25825F1E46654A72D2C4BFDBB9355B5E18E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.042{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.042{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.027{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.027{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.027{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.027{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.011{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.011{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.996{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.996{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.996{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE3ED702C94FD46AA829F0F1ECB1AF8,SHA256=E9DD2DE62EA10706CC18C2D353DEE2173B4A1E16426E85F6446E185B1D43FF30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000259315Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:41.747{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50B19AD11001CFC75582627BCE55CCC9,SHA256=61F567C46DE0C766D4D87BE6501E6C8C402D9DC95FCFBCF30CBA412C405B2D96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 354300x8000000000000000259314Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:38.841{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28999-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259313Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:41.374{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1362MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:42.928{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16104EE7CD715FF6C8837C5F566C0B60,SHA256=BACA66F9CCFB21369AA31D8DE352CEF8C77FBB291F3141A549B55D5811966764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259317Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:42.843{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852A9A010088AC015FB60BA7F5757EAA,SHA256=5443F48581373897DADD8B41211D009D2119C5B8CA1A6A8507CDA5B709AF8DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259316Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:42.265{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72367580E60673A16789D7DA909BC6C2,SHA256=7F6B111386049C82EB00FF3AEF1A58703DA12C7A454BD31B77B9407B29D27F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259320Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:43.853{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CC164B490C000317535D591BDFF3A5,SHA256=64DE1DF6C7F447730D9137AA7208327C02DE9F5373684513AD32490528507E53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.711{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.711{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.711{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.711{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000296303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.586{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=61ADFE68D1904E44052D072437634C4A,SHA256=668148DF3DF1EB2D9B6486346D2F77DEA02BCE09A421B4954DFC5C50E31AD733,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000296294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=3C331164B14BC1FAE0D9A80BE60EE2AA,SHA256=08510431DB4B60F6ACA094401E110349CF37A62E5D9094092E3401BE3C26EF9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 354300x8000000000000000259319Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:40.247{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-30524-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259318Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:43.728{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31428DD503B14A88BB8BF66423FC1281,SHA256=10C22212DC8127F4185B84248091A942075D82FFA67D7A6CB59B8C2C030B1CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259321Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:44.885{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88916973A700212EE29839A468537B61,SHA256=99BFD831243C9FC0FC80F6CD7715FF169F95E11137618EE17CC0AE799CCB8B34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.023{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA75BC689BDD5F6B75310D759495620,SHA256=149A94D5AA469E2AEA2D398F039CB3359215527B1CC338A4159AFF50E9BFED8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259325Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:45.947{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED81D30C8974F5013DFC741C6DB4C71,SHA256=CA96C5ABCCF74BBF7E05A55B3FB4CA1C541236DA1CB837E446B5EF98118F951A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000296355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.367{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BD5A74EA6C941CD76101569B55DC82,SHA256=CF28296A3D6474F095ED071231C7525F3A5ACFF0633554313E404A18E7AAF8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.226{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=9F324BCFF9745B6C4C70E0AEDA8D0222,SHA256=89D3B3D99DC975EC46D3397D4B697B799AD1F2C2B3453F7274018CD76C7AA821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000296345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=3000BF2DFF6D6F2502D90E202E76099D,SHA256=8B76EE0B927AC1BE2841E68B7A1E3FEAEA1F9F60604F3C09489C2ADA36E24CC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 354300x8000000000000000259324Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:43.355{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33639-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259323Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:45.306{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=667832767B6BE7390CDA7CED2F23F44C,SHA256=654B9EADB8BC40CBA1A1C912553C0BCA6EB7F5D14B3B37BD9A814590D030FBAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259322Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:41.851{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32098-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259329Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:46.978{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01B4B77990A895DB9E5E2B83D50CA09,SHA256=B4EBB9E8C9DBE6DCDB20C767AA713E38DE6280397D95DE9C06602F0D5285E6F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:46.273{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:46.226{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880F99A295EB8A3D466617192E5C42F5,SHA256=5E5BEF8C3590704A32534ADBF02FBBA8EEC50DB3FA9312D7DD8DB8A5B077DD2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259328Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:44.857{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35234-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259327Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:44.672{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50845-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259326Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:46.619{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=485CFB5FD592E8B41A1A8D742275F2FC,SHA256=BE669B7B139FEA65F92AC06487D758413473C0311D41117DBA814313B69BA1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.544{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59161-false10.0.1.12-8000- 23542300x8000000000000000259331Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:47.994{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731B1EE4E676EE67547E3FFC524374D,SHA256=88564F5BC914FDE0CB8D3667ACECD6017284E10B3F166D1E6CF273AEA0F16AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.258{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=599221FEA6116F48B5CD689D4BD06F02,SHA256=8A0095517590F2686D22B77D5FB7C44A726617AA90A1ECF5C548C041C90EEA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259330Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:47.978{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D3B0B4B6A9748B0D31A9352E4ABF147,SHA256=679BE6B63945DBDD7D9B7886B20AC6CC00401117C99E23DC2E5F91E7F137122E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000296376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:48.273{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808F58A883A6FAB39719F46367A31D03,SHA256=A2044F24348A580D94BB9621F617164B537AB78BA1CA857FA74B40F318E6F2EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259332Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:46.170{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36712-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.289{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191BF3344C6818C5F65AC92719757DBE,SHA256=F15943997DBEBC50DDB77D28E7B663B0BE26F5978050405CA18321121A3C60B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259334Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:49.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24AAEC01776A58B0B54C00D70CD3FF84,SHA256=CD2AFCE60DF989F7A6B020B8D59123FCE06CE20545A580796D3E7028DBA8960B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259333Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:49.009{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8A72A3F2DE39D1D8929F72C418C742,SHA256=4B61B2D1F503848923C6DC0A02FB30C8455FEC5334FF07A546DBD0C8BB77C756,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165416C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165416C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165440C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165440C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.023{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.023{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.023{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.023{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:50.430{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193938961D7C1432FB8F9E53DABD52DF,SHA256=7E2737C3E892EC517D9192A41A899281A8790154866060D5FBA8683A7AE14A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259338Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:50.775{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFC5BC7B4E73615A8FD1EA77344EE348,SHA256=51F314F874601196486F442E15ECE6018E27CA31DA41ED4D7966D83745A1C164,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259337Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:47.577{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38146-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259336Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:47.470{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu62447-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259335Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:50.025{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6E8C8B448B06DE0039200B619E2605,SHA256=332A12C212F9A191017FB66C6F350DCA82D890D23E99B1275D7930CD49031351,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:51.539{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:51.539{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:51.539{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:51.445{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E52BF297E720DB155D1DB0FAEB3DB8,SHA256=8B11DDDFB0D362D0F9AF4F73773C93F8E1CF17C1C9E9FD8AC424CFD0AC0B30A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259340Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:48.951{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39551-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259339Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:51.041{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA0DF37462E39D57F5F5BAF291123103,SHA256=B93BAF9D4DA6A96CA67F2F951D7B72F76E68349876FD1BB76E471D0300CEDE36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.726{5097E253-91AC-6149-8E2B-00000000FB01}60044508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AC-6149-8E2B-00000000FB01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91AC-6149-8E2B-00000000FB01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AC-6149-8E2B-00000000FB01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.571{5097E253-91AC-6149-8E2B-00000000FB01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.461{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335C687638D715DAE2C254E71165857A,SHA256=70EA5F51006552385B5D1E2A6E805A87868E2BFCE89DCED50D963E73771DD58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259343Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:52.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE0526CF55FEF09B9903BA028046A2B2,SHA256=F0F6856BD06DCBAC23D3CB30906E472CF8F54C4075421E08C4DE92CC82F4C9E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259342Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:49.704{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259341Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:52.056{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0406BED4AC2CB86B225548AF537F75E,SHA256=B81F0F85A73CDC0E1F824060E0457FFFE3C6A8EE450DA867CF67C646350243D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.512{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59162-false10.0.1.12-8000- 10341000x8000000000000000296429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AD-6149-902B-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91AD-6149-902B-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AD-6149-902B-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.915{5097E253-91AD-6149-902B-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.476{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8357FC71D22A44917CB6F52E90DBDD6,SHA256=F7543276ECEAF8411A68D017A6536D9A6EFCEA7563A7721C24B315654A2B76D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259344Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:53.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAC30581122D6D19B97E4B515CE61E7,SHA256=9E58148D9801BB2C9D83A7BA01E77A9EADAD200A4789687E5A3C79BBEB542A0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AD-6149-8F2B-00000000FB01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91AD-6149-8F2B-00000000FB01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AD-6149-8F2B-00000000FB01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.243{5097E253-91AD-6149-8F2B-00000000FB01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.726{5097E253-91AE-6149-912B-00000000FB01}67966816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AE-6149-912B-00000000FB01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91AE-6149-912B-00000000FB01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AE-6149-912B-00000000FB01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.587{5097E253-91AE-6149-912B-00000000FB01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA53B6EBF175DA5E7D830A29105ACA4,SHA256=5BFDDA2F4557565D951F8CA44AC6BA3C60C47AB1E990203110DE517F21B0907F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-8792-6149-A129-00000000FB01}43166336C:\Windows\system32\sihost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259348Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:52.171{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42812-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259347Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:50.724{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41109-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259346Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:54.119{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC70A9255D0DA1776553A3412B38279A,SHA256=6376FEE1C5BE3EBEC567F961509D47FF1C04D93124CC008D949B787DBB3069A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259345Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:54.087{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7ADB84F1B02867FEFB74902C866CCEB,SHA256=94BD5E7D9C5213A007D0E62B1AAC8274628D684DC5270F85152C6A634426B053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.336{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.336{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.336{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.055{5097E253-91AD-6149-902B-00000000FB01}57245860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AF-6149-932B-00000000FB01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91AF-6149-932B-00000000FB01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AF-6149-932B-00000000FB01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.822{5097E253-91AF-6149-932B-00000000FB01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A168FBA88D3622D433C9F1A9E395AC,SHA256=A1BAEEFBB5A8BD7E3A759B6E0E82EAF0C84C3DA935E6F30F0CF0BD88ACA94881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259350Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:55.478{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C24E47018BD18B45B211B4CA11A5D0F,SHA256=59EABE88296DE28530FB4A92FD3039DDF004B8B96C466CF788918E66270516A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259349Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:55.087{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6F1C7E174B1257374CD2CCC362E9D5,SHA256=2751C1A8D2799ECCD08868CC85F7829C347F2C84EB6845025E60EF6763182A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.398{5097E253-91AF-6149-922B-00000000FB01}68804800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AF-6149-922B-00000000FB01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91AF-6149-922B-00000000FB01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AF-6149-922B-00000000FB01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-91AF-6149-922B-00000000FB01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:56.961{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E196F2FE25E66BB88FDD403583365D,SHA256=38DF3002EBFC967680DD2AAC99EE2191F892D892236DB3FFE327406F442F90D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259353Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:56.947{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10E2D03F9CB26F2455F54BCA79DC5980,SHA256=0AEB790C0CF4C5D59D57C3F09994DF7535835F4489528A4EE9E183A09DB873CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259352Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:53.705{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44256-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259351Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:56.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9135E5124CD388A1793E9119D05E256,SHA256=D240DDD281042C3A0D1B80D7C16E5505A29CB9D656A0B87C7D479945D56F5E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:57.976{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB971BBD29EED61D52FCDCF954CF73B,SHA256=47EFA0461FFA8A4C1805ED184A25BAEC43167336A401FB0233E5A984EBE60C7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259358Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259357Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259356Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259355Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.119{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466784751D5FB28E79436DA31313E06A,SHA256=17F84BE250AD7AF208013A1CE887838798EAF4A1714D038027D4DF47BCA5C672,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259354Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:55.047{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45810-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:58.992{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0AD989F237E14C17A660031CB02DC3,SHA256=6DF57BD8232C13958A7F85C2F70BAABDBD9858D31FB9E37585B30CB5EB711958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259361Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:58.384{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=984BDC24E721D88CBC21996405405890,SHA256=A2187F2E09521A5FBF33CAA44DABB2C83863BEA5FAD8E7BD1DA5DE97B7FFD26D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259360Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:55.703{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50847-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259359Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:58.134{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC4E3F129A20D0AC893CD81C6CA5198,SHA256=D8DFB97F8AE13B66F58CA30074146C252611EDEB2C53DDAB93B63A5CF989B603,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.825{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59164-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000296471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.825{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59164-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000296470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.544{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59163-false10.0.1.12-8000- 23542300x8000000000000000259364Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:59.431{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67BF285B83EF2CD0D62F1C1CC3475B1B,SHA256=B90C652FFC58661B9F33001D7E97DD51EB5FFC14049FBEE7C7107D579AAE9873,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259363Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:56.551{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47267-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259362Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:59.134{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C336B2E44B59399A341DABB896233CD,SHA256=ED740AC10F08379C696FD338A9836533677AB06C46BDA63ECCDFBDCB0F751527,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91B4-6149-942B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91B4-6149-942B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91B4-6149-942B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.024{5097E253-91B4-6149-942B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.008{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F31BD840DEE5BDE6FE205D24B6AE72F,SHA256=BC7189AD20A3A6E5283385154DA0AB05EBAB6885321F39E3C6032DB80552940E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259367Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.933{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48875-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259366Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.711{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com61127-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259365Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:00.150{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A97DFF78BB0547EC1D0E302D44FDD9,SHA256=D3F872BCDA689429964E2F56550133DFADFD14D0EA3A1C424BF4A2BC830C4C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259370Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:59.333{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50245-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259369Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:01.165{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A0A85A6F198CDF7ECEE65EFF674AA9,SHA256=F9126A40A43E8B448FAFBDDF7DDA1ED162B08EA5661551E15D840E088B13A299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:01.055{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5F160750581283EA815F9FA5AE4435,SHA256=16939E681BE8EB50D477B1D60119801E44B9DB16928063BB346EC0C0DBC1ECDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259368Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:01.150{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADF7F93361C94154E613D38C55FE838,SHA256=02E82A230F4549F0A9204C6BE8B73180A0790DC625A6731E9D397B1E0C4B4899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:02.086{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1961E5BB8B4A4FA64F085F0B2D5FA1FC,SHA256=ABAACED91D9DB554D8D2B969C9FF3F36C78434F8BB4CC6D89FB413BD214DADF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259372Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:02.603{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F68C11EC4FD7165237F38D6C194DB814,SHA256=08438B4A22A6D5B343F0A555289AB7974884271C67E57D13671E7FBE371E88DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259371Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:02.181{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5393647BF4B8D8C8DD6193FAA9EF766A,SHA256=F2F4B46D416F164B82774323BE97B5F99797C826FBEEB176C443172BA3396F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:03.115{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E024C08D20191291F8FB2FFE076424E1,SHA256=0EAF099C3480CD5CF2D5FE3C9528A20091096E304F84D4063433A3A7DA34E7D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259375Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:00.766{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51662-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259374Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:03.194{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EF5D1160E6DD9DFADD8EFDB5FA4A12,SHA256=CE129C46B4D14F69E96A416A5C9ECCF86E72360319598B71BA78C2A5CA6F734C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259373Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:03.194{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9B4A2D35660E8AE3916862481A677E23,SHA256=FF80B4091AC9906D116B87D459A2ADE91B75FDBAB0C0151607BF55EA95D02F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259379Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:04.445{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94AE18578A3A69AD5D51ACCD4DDC0203,SHA256=C9E3E6A5071514B8C43C87908B234833EE0CD795A987275ADD46BBF1A3AE0BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259378Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:02.219{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53247-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259377Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:01.657{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259376Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:04.210{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B86BC4CD6701F3642D26F84D15AEAB,SHA256=87874A69711DF3B75CA1B53B71EF5F1466AA6B0D20A024B90560560B9E780FC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:01.481{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59165-false10.0.1.12-8000- 23542300x8000000000000000296486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:04.130{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3E4A794B85E671FAC161D0868F2F34,SHA256=823BFBBD26A896B4AB71C9534EF9345DD6942918AFA1DF939B0BB42473FA084B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259381Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:05.897{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04595325628208C36702C8969C9555AA,SHA256=32A9A5E4395312532751DD6BB62E9974AD187FED38E76B905F60A6EBBE62B259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259380Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:05.225{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919AA8C18DDC63DFA6206176C125540C,SHA256=8D3BB7F98DAC529335871F9456D6E69AB38BD5D3A704D9CA5A29226637FF08B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:05.146{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5400C68039DD8DA3085E3D4070843643,SHA256=6ED9717D9E93DE9C6F1F96C40CA7DD85C6C3988572F3CDA759FFD29A3BEF908C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259382Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:06.241{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB291B5232B89FAF578BAB389289F0F7,SHA256=991E391FA0B1ED37EE841DC26809D585F42BBFAF77F0A0E0736092B2130D53AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:06.146{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A64DEECEDEDD4EF13C6B0D5F30E830A,SHA256=68D2A5157543C376D753576B373220EF730F04C100B744ADA9070B399F1BBDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:07.162{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BC71D13D3056E502347ECA55CECF0C,SHA256=59BA1C07E3B2E709FBECF77A4D06B8173ABC514C7CA73933B623A6D46E486222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259386Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:07.694{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=924571F9B425585DC8EB95B5EFCBF865,SHA256=50202A0AA23D98C09B0AA4D898BD95300204F8B35C48B36F37A64A2473863614,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259385Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:05.518{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56720-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259384Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:04.112{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55109-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259383Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:07.257{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71944B3F7584167C8A475DEB70E38785,SHA256=941A3B87664D5AC8CF4AE02F85E8D1EC4EC6707CDADFED417FEB6EF932875B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:08.162{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917CC80E1C23A9D7C69D918D8315051B,SHA256=5C49129C53ECD27B26C5F64CE6151E35BF6ABAEC59658D04B2C6287CB90ADB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259387Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:08.257{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E6048DE71E64B71DAA0690B3D509ED,SHA256=23EDF99124A53071DD5E3DE458FDD2460115E702F0AE213181BA9DA04BEE0910,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259390Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:07.280{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58444-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259389Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:09.272{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398482CEE0860928CA2253D97B2CCF96,SHA256=ADAD637CB2A50EE0600BB3117DB57CB231D582C66C30A3EB5C8A32CD2668C25D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:07.479{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59166-false10.0.1.12-8000- 23542300x8000000000000000296492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:09.193{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0260E3149CF0DB8F12893B01EE68D787,SHA256=92E56EC800447BE3C3B04B02FA11EB91CE79B6C527264BB7751C087F384F2ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259388Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:09.100{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=540F25C81DBEF14DF4315F524DAF2418,SHA256=2F00A0CB2872CFB6B3C23A2D664DEEA2F0C21B1ED087F28E15DF89FEA91994AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:10.208{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E39F07D2EC99C25D20F702BBFD2C3B,SHA256=FD9B11919F116CADFC38607308D213B60F5EE44B539057953033AB4B1FD2A8C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259392Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:07.607{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259391Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:10.272{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078FA7662771086459D63628A703B7A2,SHA256=0D32A840675C40D7FE26A7FF8F20F5C51153F95CB6943F87F14D0375B580FFAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259395Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:08.754{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1086-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259394Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:11.366{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56FD389673174CCB0E90FB0C8944E744,SHA256=06B66A1FDC1C585726E9641E3146F60A51EB140C963721F18DB326821C6BBDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259393Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:11.288{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F06E8DD3E080F5E3BBA8532AE4C58A5,SHA256=16067B59B2117ED31B26C7344C22430396BFF0D84770A65D8EA660FB7F5DD033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:11.208{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9DEB8A15EBC00D34049DBE2991894A,SHA256=15EEA8F1565547759FBDAC6C9F9C157FA148AD5E712AC8B2585D1453BBD2CCB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:12.224{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9807887FF2AD6231853711AE2452CD,SHA256=8175D5F5AC10D54B36D87513BECF3F78E4B7B8FF0491DA74ED41A86F3167FDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259398Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:12.757{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDEC3D7C5E6E512B3040BCAEA1423C1A,SHA256=A086BBE9F982C2DD42A3119FE18A79242FCC9E78BFF89AA0DE2E44862D2AD051,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259397Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:11.014{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3336-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259396Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:12.303{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95914A3BBE2781AAD862DC53615BE56B,SHA256=3D820D9AEF9ACD0FB249EEE6E51BEF455B96A1737A633B449B8B39B18B9FD2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:13.240{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E8EFB070CD6D1A9FC1E3BF9338D9B6,SHA256=35E8E1B34E9CCADD8848E7281C0EF8B13E1AB9297CCE90127206CACD751D6DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259399Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:13.303{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8833DF43600F62ABAC4DBB013129361,SHA256=437B82CD720B777FCA4076064AE1198ABA20FF2F7A8C4CBE9B465620619EDB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259401Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:14.413{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3DC33014DC96630F856DF6D06186816,SHA256=6D3B37B0925DE511599537A7E75106F5780481B657DDD6741BA115E7A66CEBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259400Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:14.319{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD97EEE1F10C7B1F273F5F4E07BBB18F,SHA256=39EC32C466921C6E57B3688C464E718383196860FAA2864FE1A141980BFDFD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:14.271{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AA82E6E2D8B28D7CBCC1460B08C495,SHA256=C23C2A4A66884DCA0F596148E867F2FD8DDFD816959A769A7EA1FA34ABB9D4A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:13.416{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59167-false10.0.1.12-8000- 23542300x8000000000000000296499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:15.287{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECD60836A28994B38083A4EBC6AC55B,SHA256=5C6DA1759AAB52F27032F85FD91D1C3A7B27554FAB327E524B6B130F9040BCDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259406Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:15.944{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F15E50D785FC0B21C30C4D659F002EC4,SHA256=B31296B3F60266880977646224C235955D812199077E2D11A99838512441C495,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259405Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:14.033{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6357-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259404Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:13.639{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259403Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:12.403{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4829-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259402Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:15.335{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7493E35B14151479AEA46471F210C3F5,SHA256=217ABD13C0F2A211EA4B141E4151D0CEC267E22A65E91A01CCD60A803064CE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:16.333{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9589F91B7B7E34C05EEB9635274F5CE3,SHA256=0645DAA1AEBD2E8E77386B1F98709EE784EAA5D34660F1FB0930ABAA481FB956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259407Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:16.350{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FF028C59C3424DC1EFA377DFD05D41,SHA256=6E011EE9A117AE85D27575A368C8DBD64EE613CC1E96ABE092DD0B3F1E65C070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259409Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:17.647{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F092127E20DAC3A4AC10E814FC3F4586,SHA256=0FD91C3D39FC1FE5269343CF07FEE3B79F73E46FCD9CF928E2FBBC1A15F9F3FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259408Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:17.366{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63986B43641964296F313F403DAA6130,SHA256=A3EFBC12EA502BBB8C35E0833CD8186B5783974CA9852BDE4AF6C46AD7E76706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:17.349{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BFC5899F16AE5D4B5124D427240D6E,SHA256=C3E8A3FB75C3BB5C0DBE0EBE24B6A91478F449A00518C30AA12B0AC99CA0D860,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259412Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:17.200{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9670-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259411Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:15.634{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7998-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259410Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:18.366{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5615703527A52781A789F58D39EF3A,SHA256=161A6AA647FB703485956905DD1972060B0F54E38EE5402C1A481DF7C53E367C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:18.365{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9729B422B677B0C68ABFB68BB72BAE88,SHA256=55828D5FCDA755A15E046FB84F647BE5FB72AA5890AB4CF3C6888166D7FC80A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259414Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:19.382{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568995F32D2B0E990EB01CDBB8371C02,SHA256=B4132D0B8BA01065065AF79E0917D48A56C675D09F8C1B62C665CB572C567325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:19.380{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983554610CDF4750C18FDE2761911368,SHA256=A873842775122E2FF7E75F338E4DAC3D7BA2CE29F29BCBB271CD8563C0147E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259413Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:19.006{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=238EAF939AE0F047C36A6E4F65A5900A,SHA256=24D16265C930789201A732C5806ABEAB1495BDFD0FF795D1E665F7F264598E85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259429Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91C8-6149-2327-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259428Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259427Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259426Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259425Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259424Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259423Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259422Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-91C8-6149-2327-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259421Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259420Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259419Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259418Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91C8-6149-2327-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259417Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.851{C189DCE5-91C8-6149-2327-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259416Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.506{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8049388A265ECE98164776CAAE9F9BCD,SHA256=EA9308FCC567D03660CEEE3BC27D8C47573AC2A0396DAC43ACEA027768E53234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259415Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.397{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D39EF8A670189D68113EB163011C8A2,SHA256=17428E624C55F871CDA66A050B8B55C0CAD74133028879F38D748687CF536A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:20.412{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A376A5AA0F8F355F4D94FA4914F404,SHA256=5BB652E1909CF8A5DB02DAB6FFA20DAC22E5E99A5D2E51BF2B5909EAB6941A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259461Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91C9-6149-2527-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259460Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259459Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259458Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259457Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259456Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259455Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259454Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259453Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259452Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259451Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-91C9-6149-2527-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259450Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91C9-6149-2527-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259449Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.867{C189DCE5-91C9-6149-2527-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259448Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ECF14674BF2C6C9CAED7BC82760A881,SHA256=6FC419F1098BD354F8BA1049D87EF48BDBE7CECB1437EDC2B8E1B238D73F4DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259447Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:19.654{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50851-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259446Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.725{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6493C69A781F1F461D9DBDECD56B5BF5,SHA256=026EF24A463EB453EED08A5B16D76922EA01D33F8B13722376DCAAFB4746E4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:21.427{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05526EFA34949A8A19CBE892585B6D62,SHA256=5F02B98403B9877271EDD35F434BF4700774535EC268AB6224EDCCC0B53234E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259445Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91C9-6149-2427-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259444Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259443Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259442Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259441Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259440Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259439Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259438Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259437Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-91C9-6149-2427-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259436Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259435Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259434Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91C9-6149-2427-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259433Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.367{C189DCE5-91C9-6149-2427-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000259432Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.131{C189DCE5-91C8-6149-2327-00000000FC01}6563932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259431Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:18.791{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-11339-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259430Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:18.740{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com60649-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000296506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:18.526{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59168-false10.0.1.12-8000- 354300x8000000000000000259476Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.323{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12887-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:22.443{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB762F13B1E4F05D5A86AC4678DD1CFB,SHA256=417786A7DF2403E56721E2B23C82588E2948B7785A9A46199B107109AD5AC5E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259475Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.631{C189DCE5-91CA-6149-2627-00000000FC01}36321044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259474Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91CA-6149-2627-00000000FC01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259473Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259472Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259471Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259470Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259469Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259468Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259467Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259466Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259465Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259464Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-91CA-6149-2627-00000000FC01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259463Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91CA-6149-2627-00000000FC01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259462Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.367{C189DCE5-91CA-6149-2627-00000000FC01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259481Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.748{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14435-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259480Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.718{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com16584-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259479Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:23.823{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AB5439C7ED677938F18CDA96379962,SHA256=5D958B5E26E19455466ED8E4A8E2BFD633D64B215D84ED6EBD26DBDEE04596F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:23.447{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5F9260B5649A74C6829D8900F319C1,SHA256=1C97AAD4CFF39271563D88334F85DD217D2B98C8161094B67C339C97197FFF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259478Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:23.073{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D21753722ACADCEC17C5AFDE21067043,SHA256=FB86D63325E0E1DD3723C3717B69C29FADED3C92092E2C1AA4689397A9A15D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259477Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:23.073{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5340D0F9F2B0A67BD269D484D27B546,SHA256=E616055C48D2DE1756F7A5A7001F3000667B27658AE5347D0D979471CB00A262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259497Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.948{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B4F0E05CEC401990474EC61D05652F9,SHA256=80EA72145C89E01DB2BEA9B7D49AD6A4998F17F22BC8CCD49562AE7094AA6E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259496Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.870{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5AD395A7C9390B32DF232D6925FDC8,SHA256=2DB626E6AB311985FDBA6CFEABBB91876EB8B9925B97F7A6C9AE3C38E7472717,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259495Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.870{C189DCE5-91CC-6149-2727-00000000FC01}25201396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:24.478{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA94A47D558B24B7A0A1214AE256EBA6,SHA256=470D032482173907968BCD8CBF99D7356E458662B5E21389FFA1B40FA23C5EFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259494Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91CC-6149-2727-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259493Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259492Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259491Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259490Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259489Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259488Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259487Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259486Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259485Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259484Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-91CC-6149-2727-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259483Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91CC-6149-2727-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259482Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.605{C189DCE5-91CC-6149-2727-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259513Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:23.178{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15897-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259512Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.885{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E41CCBAA9B6E802329811376BB1A69,SHA256=17CA566F425CBAFC66325598F6C814D67ADE139C89835238DD3FD5B1472B835D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:25.494{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8882FFEF77888A9CDB7907EE4597F654,SHA256=EF295CE38916488D9272A490E76EC13874863D650D27D065B7E36813B6A490B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259511Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.386{C189DCE5-91CD-6149-2827-00000000FC01}23684012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259510Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91CD-6149-2827-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259509Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259508Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259507Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259506Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259505Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259504Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259503Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259502Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259501Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259500Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-91CD-6149-2827-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259499Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91CD-6149-2827-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259498Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.105{C189DCE5-91CD-6149-2827-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259528Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.916{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD41CD5B6DCB3E1B3F392E16372FB3C5,SHA256=89D57E2E8E3B50F90204DCAF446EF340D8AC383F677FD29BBBC8787084AC496F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:26.541{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD038610BAA9E241FB7FE8D2486652B9,SHA256=C9B64F716F385042CE455F2DFBEDA26C8F3315484FAAC5E233809EC96107C08C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259527Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91CE-6149-2927-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259526Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259525Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259524Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259523Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259522Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259521Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259520Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259519Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259518Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259517Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-91CE-6149-2927-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259516Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91CE-6149-2927-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259515Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.589{C189DCE5-91CE-6149-2927-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259514Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.338{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=866771767CB77EC67FA5085EC3786BB9,SHA256=8C49D819E351EB9AF2750BCC7B6C61021A50585C33F9AFAFC6786C847DE3A34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259531Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:27.932{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A2FA68F572FEA10F58E0CA2651BA2F,SHA256=3D48EF463EC199FC654A16D35FC29973A88FA0B4EBE29FD02C32858F3772351E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:27.572{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F64B008586668643C45EB3EADBB2D4F,SHA256=CBE34DF28C8A0A84E8EA91B1A8C59E4B18102DCA75CD3C712D4BAEF4DBAF6D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259530Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:27.604{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC025DA2F691DD1F004F511DCD60690,SHA256=4CABB4ACEC01C3D66249333FDB9596882A304A145611E193E0A95E75B4E226A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259529Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.526{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17260-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000296513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:24.436{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59169-false10.0.1.12-8000- 23542300x8000000000000000259534Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:28.948{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A857A2DD7F3F751CA639A3C3A418493,SHA256=E93CBADFE15E2192DE3D6F7BA45EFD01F29B77B291D158074A7C21B85D4668F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:28.619{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BF201CC3B69E9F3DDCEFE16BEEA63830,SHA256=D440C19DF952BCFE805AE6B32080AB66D69E5B45637BDE6B79029B6DC6879CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:28.588{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F30D9579BC4550BEC405CB9BD0BA326,SHA256=630A0452832F4D9484B4F64BDBDBBCFD2F642CD2938E41AA439E8C51E96DC37D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259533Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.132{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18795-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259532Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.595{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50852-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259536Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:29.979{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB0FA8B36B6680D476FD494AF7CAF51,SHA256=2A9548E7113DE4F8603B3D775725D181EB70E7E296B59E50DA9AE2AA8594F3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:29.603{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61E58E4B3CF21D8866597EC2F9F8C3E,SHA256=E1C2A49F56BC365D239EE1B0595242FAE27C384EF63F6B08211C2AA23769FC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259535Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:29.541{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8412E98AA75F897E3F119A6365A00053,SHA256=F4274DF5936CC395728F1985923ACA8858F8596C69D906CE991F2D4EB1ADE489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:30.603{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7789C1514A23F9F53A3765119C200E,SHA256=19AFFDCC6AE5CB7058E8541C283A6172D1C504770E1D47790EB49A1BE7B2F19C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259540Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:30.994{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A77B85DE390663CBA27E0E94BA8C1D6,SHA256=ED7EB04005A629ADBB7194E02514113ECE5DC55200720FE7EA3155F6E66C12DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259539Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:29.167{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-21890-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259538Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:27.763{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-65473-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259537Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:27.649{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20375-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:31.619{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E476BE98A8FA7CB48BD5343CCE261FC,SHA256=9DFAAF7F04429CBA95BD5F8EA3D15C50C0BD2CABCB4D0A23A79DF836E26B699D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259541Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:31.026{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0975D5F2CDBAD2CEFCA63F0139C05DB8,SHA256=6FD7E485E9BEDDBA369964E43AC45DF887306C71F7E27D09A8CB9680386C6603,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:28.429{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-49884-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000296529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.619{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CA9924A4476859FC88B61FCE93C85C,SHA256=080A8091BF3E43FD2D2D61C5EA4B33CE4C549D40B59934045AFF3E99CE730865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259543Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:32.541{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB9366CA2C417543607CB577AD4FD48D,SHA256=D04DF55E721F6B7EFD61FD555203C8738D78AC554F5EDE867DDBB48F4FCFCF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259542Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:32.026{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5D8D1DB27981200113B0F4BD9EF874,SHA256=106968E2D8E7A3B21CDE18892B7EAB0C00D122E35DECFBF892551512CD73F2F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:29.561{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59170-false10.0.1.12-8000- 10341000x8000000000000000296527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:33.634{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F19A6CB25141CF8EFA10DA40AC4A363,SHA256=5BE9909FBB07F16B8A04E430DE701BE68F08C57FEA392055478E2C89F8808036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259545Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:33.979{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79BCD72F7EF5C076FC82283CB83AC21B,SHA256=C3069394756D7349E06E9D1D39BD1201E9303460EF9B8FFEEF0B02914E896B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259544Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:33.041{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1BF4577299D3687D6ABA789FB5BCDD,SHA256=347330AC30D82ED530CC33D8D835230108BE998BE9DD23F520440B4099F8F31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.794{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1370MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.636{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEFB1C7AC82E00A061846835B858CA2,SHA256=37C60CC0BAB203A1247E9F6C7A61FE0DBBC1BF9CA467E69EA05B6DEC010F6CB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259549Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:32.105{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25095-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259548Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:31.595{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50853-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259547Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:30.548{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23435-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259546Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:34.042{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257AF242AC3EBE1FD031071BE7766874,SHA256=6422934E1BE314E76581F5A4E54265DA75810BE413D1FEF70CE498F93D866247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.807{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1371MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.650{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74CEDA006E99285E2B5813285A1EE77,SHA256=DDCC87877994F810BC5EA3389238948F79F3C6417A99D8FFA257BB1A796AB28C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259551Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:35.526{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31322D240281288E4CF383098C847B6E,SHA256=8DECE6449B75FE16C54B2AF1EE37AD906FF5D9E2BAA952DEB4E9DC20E04771E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259550Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:35.088{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C4B8B0818EA5DF6E7166BE030C68CA,SHA256=28A442EF9AC2F0617644028A7F6DC46220BBD0C2473EDDE697EE8CF8FBFD49F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.509{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=03784A6CF877374FA3D661A47245A345,SHA256=17B494DBCEDB199B37106D8E2C7D3D205AF0EFEAF209D3E97D8A3CB900E87B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.494{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-4839-6148-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000296541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:36.652{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F65E05AF5560B7A3A0D876B6605BA4,SHA256=5407DA0E6A1C18B3C4DCD3C166DC44B9A5E483363305DCA3EC4486EB5DC76C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259554Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:33.545{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26528-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259553Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:36.276{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259552Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:36.119{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B44DAD6B912B0A5F11C35638F5604FE,SHA256=C870FC61DA311763E34C3A158A20EF025F139F9E5D6ECA46404AB3A77B425BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:36.495{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F3B317B34548C3E8911673B4A4648C,SHA256=7EEA009B46830CD490E25C0BD1CAC1C418818B3C0F9BC6EBF61F68158C7A147A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:36.495{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0662A0719AA488E27B112B770A191CEC,SHA256=144FDE3343A45151486D80C7B951FF1C59F4B2859F8AC3CE4E90490DB47E1B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:36.386{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.725{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-49990-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000296552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:37.683{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03212A958023CADB448D6BC7B8E0C58,SHA256=1E9E83A181D14F44FCA87F36D2DA3AB88ACC373201E034F1D19DA69C6525BBD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259557Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:35.162{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28191-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259556Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:37.151{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490D56B861F235F3E89DA04877B485C8,SHA256=18423352FE5C261F171BA7473CB400BC5FBCAF92D8C91560FB47EC939A874B9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.818{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59175-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000296550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.818{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59175-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000296549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.815{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59174-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000296548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.815{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59174-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000296547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.814{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59173-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000296546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.814{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59173-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000296545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.711{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-966.attackrange.local59172-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000296544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.711{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59172-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000296543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.704{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59171-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000296542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.704{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59171-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 23542300x8000000000000000259555Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:37.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1293A752E0868230A56B8065E86C062D,SHA256=435A8BEE28B8FAA5F5084CBFD7EB5450E3BF9393D6A4F965ACCF42A2F75F95E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:38.683{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41207EAFC8EEC9382F3DA19807D1444,SHA256=86BFCC0F7903B2C540CE6BC0B923F344F085C0B6DB5F838B57FE09A9AC76934C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259560Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:38.791{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B2CC778B2E1331C8E4CE03AA357686C,SHA256=9DA98618149AB4C0E50D2A3CDF560A80A19772FFB655AA6BEE8469DCED0A4589,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259559Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:35.736{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50854-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000259558Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:38.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958E40375BA3E930DB6B2C2C0D0F6155,SHA256=7C859D3A0E0F79F3CCD6EB0218BF309EEDA12A9A5CAA95E0E673A3FC18BF5541,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.688{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59177-false10.0.1.12-8089- 354300x8000000000000000296553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.497{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59176-false10.0.1.12-8000- 23542300x8000000000000000296556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:39.699{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DDF9006D68A36BDFA6DDACCB643C2F,SHA256=EA02A4B2E147EE7787B49B50ABFDB06C46FF8E70459796CADAFF1FA1E44F13FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259562Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:36.684{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29773-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259561Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:39.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0131D85D441FBDE5961ACCE44DE58942,SHA256=E2F5611FAAEF0265E1232777C483E44570A6A40C9D4042F890925F586D2B9520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:40.730{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CF16BC154B3B0FF2AA49E8C77BCE6F,SHA256=80077787F0EDB44459052117355AA0C91CB639AD2F05D8BB853FC7E1A8CBD1A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259566Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:38.360{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31460-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259565Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:37.627{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50855-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259564Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:40.260{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C305AFCAF595BB6A27F034149C4E1ED,SHA256=A3C02CA3C40DC27F431403CCA163042F88DC6C2DDF88642EA7B923DB891277C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259563Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:40.197{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF74B20F98545FCA9526665458C3E6F5,SHA256=522207DB0DA604C5BF6B3140F01C7B89BF03F800E7C01519D20D853F32A5512A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:41.730{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DA3C441B023CCF1E7D2D23B7780103,SHA256=AC53EDE2AEF938950543940BD23BEA55758F6D43716A5CF6F45656947102EBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259569Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:41.904{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1362MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259568Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:41.683{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62570B3E095343E4D878AB022CC9E301,SHA256=07E7523B22AE050338339FAE12C4AB5A3B5984B0C57637B5DCC1FEBB3EFCD055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259567Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:41.338{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DA37CF0E75180F0A362B97EFBC9F0A,SHA256=F4A09D4445E2090B5978914EE0008BE0BC051D0558EFCB9AFF304A0D95795C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:42.745{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974F833A8B5B1962A37B53215FC9E687,SHA256=2C641C9DA9CB4B5272F68A10684881F28D1EAA1CF78EC2FC654F53D9C62281BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259573Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:42.911{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1363MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259572Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:39.976{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com60133-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259571Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:39.835{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32901-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259570Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:42.347{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71E892F67B458A05DA0B5A8F592848A,SHA256=7359F50D357D1455DA98D74CA2F3B21F0F7F753E3D8E6845D133422A6303CAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:43.780{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0753E379CC4E789CEE25C84C990FD37,SHA256=E3787A48BA2F24333B58CC529549925C3465F23A1339E7EB31B4BB48044064CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259575Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:43.502{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C44B60DC37BBB5BE148D6B10A16E9C0,SHA256=C2F7167BCD46A37FA3302FB45BB470B169578E535428BFC811CC6AA15E169C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259574Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:43.358{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49F9E28E33B809DBFD13C8D8E620033,SHA256=5279CF08D5282D9C622E20A73152F354C04948A50CCDD73AB35F18AA18005852,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:41.406{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59178-false10.0.1.12-8000- 23542300x8000000000000000296562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:44.780{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA8F383B4692DCD32A069673BF408DB,SHA256=C5FD31627C3C484F72B60696672E5FADDB1F75397F42A623FFEBEC80C64DB045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259578Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:44.970{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75FB55DBDFB176F75455C2C1BAAA3D86,SHA256=34875346A267853D35C74377743DBA6302228922E5FB19F794081DA28FDB8E25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259577Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:41.304{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34442-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259576Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:44.408{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E54C7CA30B8A2D3B96120B88DC6996D,SHA256=350484D7DC234F2626BB41734E8059F40F8B32757EF3B78A2BC92B20FD82D3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:45.780{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E96F611E7E35E158CA940B047B683F,SHA256=5C437C6AC2DACD8B3C81CBB47B0C6B94D17AB0736126628A459CA302E0C0E912,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259581Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:43.618{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50856-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259580Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:43.054{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36342-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259579Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:45.423{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C6BB9BBE8D8791039B56601C93DF87,SHA256=B2D07A22E3B0070785FBF780D20F8218F313418A88F5202062644CDD1A8B11DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:46.796{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12405C41CD16E79883208940F6DF99D,SHA256=BA6082751D12E06606876A806914549299E567E5E17449FC9D6FB44E44447009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259583Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:46.486{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436FD126F464182E8D834856D43CE1D2,SHA256=E68BE77874B96CFA21D3550B0B0554AC0DF5F8D559A3AAE14DF600074058B4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259582Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:46.423{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120C43DDD64811638191EB515ACB6CA3,SHA256=897CB9EBA287BC3D9F42E27A39316F020D758ACAEA70B7CD58F3768F9A2C5687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:47.827{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EE27E3B30895FB6A15E4B1E06DD1A1,SHA256=E35E8D5A7AB9B0350EA5F2E6FA2884DF6F57A66878FC653D4334EA57B58A3167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259587Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:47.861{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F479AD3314E444713EF013AAD969154,SHA256=4FA5CFB9A26B9E4FDEC307090525A5BDC566DE224E1563298EE02E05B0AA2E85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259586Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:45.974{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39422-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259585Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:44.522{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37937-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259584Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:47.501{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F944BFBF4FABC1C526085D6A2FD416EE,SHA256=D5B4D932C7624C89C5FD24F1CFA71E66FBFCA7B616504F0551B7D0CA2ACB64B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:48.842{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9314E6E679145B0C17C27B69F15504A9,SHA256=967834D602ACDA4140306A904E754265B3CAE1915FB0B7FF35271C59965298DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259588Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:48.548{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC6EF5313816D1ADC683A24D4BA1A6D,SHA256=F5D09CFAEBFDEBB273EEAEA5347736AE4EA50D2E6CC9DDF6227A06F96E5376A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:46.503{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59179-false10.0.1.12-8000- 23542300x8000000000000000296568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:49.858{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FD6F48F233ABBF5904A66EF407EBAC,SHA256=C9C6D794558DE0112AF23BD16B6266472998959345202F170718C2B407CE9D4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259591Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:47.456{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40835-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259590Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:49.595{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E70B826C0D9A93CB1F8F56CA864FC4,SHA256=A55A6DB2B549BF1DA503624553FDAF330FFB8EE94BB54E55D511BACE3D406412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259589Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:49.298{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C3C22678F2F729D73500575F8693909,SHA256=A0D316BB579CF152045B781F4AC1917BCC613B855926AA6E9FFFE1D9FC334BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:50.874{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A57A43F16A070C1AD7D3FF54E10658,SHA256=D04F91088188E5158CB558B0254C7AD82EBB1E4B7178D6C4CA7E1375A5BEFAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259593Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:50.876{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21737ADAAD15113D2D1E12492907AE37,SHA256=5E506982ADE138D586FB8545F97492245F759522927888F1A5C3BF4B2637A59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259592Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:50.626{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8073173BC0878529850477BD7215AFC,SHA256=6EB169F31CB14CAF94A871C8180F3EBD3DC55B46F234DD30C78F9C9E4020F1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:51.889{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDDC1C5EF08189DE222FB7BC8AE0B8E,SHA256=0CED3776334ED09E346F1AB13FCB46D2A916550AE528B8E471DDCA981EFFB9AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259596Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:49.618{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50857-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259595Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:48.967{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42366-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259594Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:51.658{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290B41277C5C55385D0F32E1883E0751,SHA256=D632AEFE075EF910777F2FAD4F0E2A90DF09E684CD1C54C0CBE73B75FEDE430D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.889{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7C14EC20B94F9F166FDA4EEF572260,SHA256=C9DC8ACFDA67E5932216DAA931A3791D396587D42DCCB30B313E668073379A7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259599Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:50.429{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43777-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259598Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:52.673{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792370B582E797E47619A5D91C4D4704,SHA256=0566711BA3FAE0C6380EB61293F013127E4E92379C584E974927A99D675CB816,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91E8-6149-952B-00000000FB01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-91E8-6149-952B-00000000FB01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91E8-6149-952B-00000000FB01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.578{5097E253-91E8-6149-952B-00000000FB01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259597Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:52.236{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01E19A1519A95B8FEAC56210E24F7F1F,SHA256=725F91E54B74010387ED455997CB5504B5895C337F5E0323D6964056D59F4C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91E9-6149-972B-00000000FB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91E9-6149-972B-00000000FB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91E9-6149-972B-00000000FB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-91E9-6149-972B-00000000FB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.905{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F4B96BA1A1E56C61A5EFDDA58A3431,SHA256=4DA13579CF0F6F8BE014721A15E0AAA2673E30DAEA74AA18B11C96085662F227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259600Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:53.705{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1CFBB4EC12F443C91DCA5A12381304B,SHA256=9B1BBE12D4EF97938E3F76CC5BE32C550B331EC1787F81EBD9D04CD00C02C13A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:51.706{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x8000000000000000296588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.389{5097E253-91E9-6149-962B-00000000FB01}11526724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91E9-6149-962B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91E9-6149-962B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91E9-6149-962B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-91E9-6149-962B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.905{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A452662206A3554A3F92CEDE38152CF0,SHA256=BCEEB4E522C8FCBDA8DEE444553C63141F196594E46CE0F4D2332F492E735B34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259603Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:51.914{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45279-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259602Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:54.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0AD0EF4DF12311360634081B12E782,SHA256=D89A6E0A35BF554BBE596AA36BA3991E410F819AA4410690754B61DC68E940A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.733{5097E253-91EA-6149-982B-00000000FB01}38926224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000296608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.409{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59180-false10.0.1.12-8000- 10341000x8000000000000000296607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91EA-6149-982B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-91EA-6149-982B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91EA-6149-982B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.593{5097E253-91EA-6149-982B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.061{5097E253-91E9-6149-972B-00000000FB01}72326408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259601Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:54.001{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC7C4F6E355479830373DB09D5519E28,SHA256=9FB05C4A8ADBD5182EE529D94AF5664700DF0C5827B643471FEC26FB9B60753D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.936{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC1471346DB405E483A718FF049BE98,SHA256=EEFA5CFF4AB318367FF9085E94749093E2B18161F35DF60F368218AF226F9485,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259616Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:53.552{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46780-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 13241300x8000000000000000259615Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000259614Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x050007ae) 13241300x8000000000000000259613Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0xd6f99c15) 13241300x8000000000000000259612Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebf-0x38be0415) 13241300x8000000000000000259611Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0x9a826c15) 13241300x8000000000000000259610Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000259609Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x050007ae) 13241300x8000000000000000259608Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0xd6f99c15) 13241300x8000000000000000259607Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebf-0x38be0415) 13241300x8000000000000000259606Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0x9a826c15) 23542300x8000000000000000259605Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:55.767{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0BE762B731AA686CCDD877F289DB80,SHA256=F989BC86023677EF787A7F4181CEEC2DBA0F85442C7DF3D3690615F6B66AD7CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91EB-6149-9A2B-00000000FB01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91EB-6149-9A2B-00000000FB01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91EB-6149-9A2B-00000000FB01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.781{5097E253-91EB-6149-9A2B-00000000FB01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.327{5097E253-91EB-6149-992B-00000000FB01}80845388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91EB-6149-992B-00000000FB01}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91EB-6149-992B-00000000FB01}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91EB-6149-992B-00000000FB01}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.189{5097E253-91EB-6149-992B-00000000FB01}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259604Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:55.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19A75624490CD1631E656DD8C6D73A84,SHA256=B85E87A71A143965629D2E0B18D6FDAEA91A3C0A3F4D6D50A41B5F7147622D1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259619Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:55.027{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48363-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259618Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:54.665{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50858-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259617Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:56.861{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53895AD8380D4E76979F4C61A2F3683E,SHA256=056989204D3F68F14321324C5EC09CC4BE63F1272DC98D1A4082BA481671DEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:56.967{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EC329F7A785406CDC5596240C35CCF,SHA256=6956DAB713C4BE072B2EEC3B9F5B47FF8E175DEAA1DFA2C9BC05686D754BAA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259621Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:57.876{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04F66E44AF0D02565E261B124485603,SHA256=5F8D509157100056F16321763A93B8EF6307FC76B6CA7986D53FE9116FD47964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259620Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:57.017{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F523F3A170DACD34EF7A9EC3CC8AC3F7,SHA256=C9A752E645527903A83DF733E8BDDBC4C2F8AD0FEFCC3E595383F84E32353D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.832{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59181-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000296630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.831{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59181-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000259623Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:58.892{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4B8BC69F79D09CC5100CFE3B07B2A5,SHA256=4D0150B7F8583B61DE68DA0A0141C71EAC4E6E4AADFC7D1E581084748B9E35C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:57.999{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26D1276A7FFDC57DE12EC2081366E15,SHA256=D169916BD07A4B466376CA32C8C7E3DB734167E5E02DA90D9A118DEEF165DD7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259622Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:58.470{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4399E7CDA5D88DE3CCE07A9415B82873,SHA256=86B85B7BFE166F7E58B23083DDDF3E15073FFD6CC6A980ED573DF2AC8D9C84CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259624Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:59.908{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D632659D21EAB469D959DEA8A63C9D,SHA256=0559321ADA04FB3CFF126AB7AA231840F0D14228E37DC02DB0FEA03DAB05700A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:57.409{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59182-false10.0.1.12-8000- 23542300x8000000000000000296633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:59.030{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0E353FC228A79D9DB3A686DEF33BC1,SHA256=55AF50DC52A763CBA5CC2D7E1A2C8E2707AC9030A3DE4B9A03C9FF9112126EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259627Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:00.923{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A2006E54D27FB65A2DA805B9ECA906,SHA256=1C2CA24F9ACE6FA002128F5F1A00DC686C039C3A3A72E2DFCA321A9DF258543E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.046{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39CE3B9799B70800322701ABAF7C1C6,SHA256=C207E4F8D14F6FDA5BFDFFB17BE9108BDE4769FDFD7F7B4ED5E25694636DF66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259626Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:00.064{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C55107D3119CB69DF0895B3BD0C4A6FA,SHA256=D4D337D4CB7D0E7AB4F466721D275177819E622B75B67B7755740C5222D33F4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259625Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:56.569{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49864-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000296642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91F0-6149-9B2B-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91F0-6149-9B2B-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91F0-6149-9B2B-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.031{5097E253-91F0-6149-9B2B-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259630Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:01.939{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694129AB7E9F6DB6B24070A3C23ADF5D,SHA256=77A3EF25CDAE2AEE4BF07ABB098F8153366FE609EFEDA87A33C9BA9B8540121E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:01.139{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADCB2B236501FBCBFF43A7649997792,SHA256=FF6967E42E698AFB6E5E39A87F72452CFCD24A65A72369BAB0B32106679D4D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259629Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:01.720{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03CE15A3F4802F0C21938CC3175474FA,SHA256=B7EA5E640B1F3235AA3F5383C8740AA1216088A41A6FFAEDBB19C1D57EC78144,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259628Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:58.025{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51442-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259632Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:02.954{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A4C07F20B65D2FAD2735293BA61D74,SHA256=7F46FA5F1957AFD685C08C0A3758DAB04D0D831F61B8A768F0BD185719F5F48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:02.155{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336453C652BC7E443390AFF87D4DAC36,SHA256=D7BF9B6D85C1F7078A168F973CB46EF2853048BE1AF0EF736F7E05DA6C7381A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259631Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:59.674{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53039-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259638Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:03.965{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C778CBE09D421DB94BDE209300D678EA,SHA256=1CB80E0FAA4266B0C44F107D63129A81260832A8820C4D43915E1C748B9A0634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:03.168{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4D4E124C39CE47DCF270E5D7AB6A62,SHA256=562A2B4DD9184AB4DCD2AE3090CC297093FB74D3BA47028387923C5CF8494C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259637Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:03.199{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=62BA0AAD9D6FCC79F47FAEADDA3911F6,SHA256=DAB0F120BCB17D3793553902B261582A7268061D2EC714BCC5FD16FF20DB31F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259636Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:00.946{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com59020-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259635Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:00.649{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50859-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259634Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:00.446{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu52983-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259633Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:03.152{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A124A5B6292C20620A7ABB761E644DD,SHA256=B13201C116D47B14A99C7697465BB89B401A93AE41F977A6109128ACFB7023F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259641Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:04.965{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28F99DCBE938D2D87FECA6B47904FB4,SHA256=CCC5A2F93EC07187FC48B9423F68D304773973E0AB67D0397EDA0411A3E4FA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:04.183{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94450F13D4504B3A4792D4A4D790162,SHA256=D5DBB11B7531E2B9533542F75098699C8EC6A0D74EB0914B130D7580D26B7D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259640Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:04.637{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7FB50E7416ABBE85E7EDC4FC945025D,SHA256=9C3C81991F8EFBDA33C0C1C54A201F16467452C9F17CAA627194A227C3716DD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259639Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:01.343{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54745-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259643Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:05.980{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2409BCDF3A68378B92BEDD3D9782E8A,SHA256=3BB721F5A043CDFC3C34E4CC5947FDDAE8318A2972E57886252F6AB4F866C0B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:03.391{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59183-false10.0.1.12-8000- 23542300x8000000000000000296648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:05.215{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89AAFDDAB9A92F7ADE6714959BE492C,SHA256=6B578C780E3A8F6E760B761187BC20CD59B79C911653B97F9BF2CABFEAA05850,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259642Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:02.750{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56157-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259645Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:06.996{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E9CA174D9703D882F51C3DED325FC8,SHA256=3B7618BAA9156D9CC8699C610F78B48D708F661C6D1309BF54896B896C1A402F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259644Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:06.168{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B904A412A79ED47BC45D31D5A18D014A,SHA256=1672EAA4031272357D2282A8BED131CB84CC9C487C4FD8E5B37741AC863810E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:06.215{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66553102A80E36F2CD146364C588AA35,SHA256=7110EBEC81A389BC45E63677143B6E2A887FF8B9B0FC440C4740E1A6B00F683E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:07.246{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC1D2303352A490A4E3DF74FEE677F9,SHA256=4B6FC5D0A5AC3936B816D4DC70BA60975591359F86A0E254499FC2ACD3F06567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259647Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:07.621{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C70499FF914988162EDE7C9202764EF,SHA256=1615F50675EF65B188BD0A73CAE6B0A77C190672D1FE12994F0FE402ED3127C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259646Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:04.195{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57647-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:08.261{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C635842543BEB2D4752543DE187A0C69,SHA256=CB070FFFE29E5CDDC42264DE10AE8907D3D877944EC28FAAB57B991FD7C982A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259649Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:05.785{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59302-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259648Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:08.012{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33368C913A44A8B9E86CFBB1F3453FE3,SHA256=591BCB26F9038E097F251743FF5C9B9BAA61335ED27105224874C0E950EAA96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:09.308{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D992A8C5B6F7DF693F50E744B3D4EE5C,SHA256=7C46A40B9659B57AEECF46BA4903F9549933559B55593C5F5FBDB3373E4776ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259653Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:07.198{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1775-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259652Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:06.675{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50860-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259651Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:09.121{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5CAE54B383906E9AD36DC98D5F813FC,SHA256=421C300F9763AF48DC389E33F61CEED3E09AA92AD1F0310C2DEFE90DBE23AC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259650Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:09.058{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099BD70548052A6BD73FC938C7AC0251,SHA256=A4C93DBB017982FA1ED82F3813BDFFD2152A0AA64C3C50876B2D1AB346CCDB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:10.324{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7D18152F8AB61ACE129B851FF7407F,SHA256=DE954E35BBAA5C65DC45DB14C12066A29290831C21A222FD4D385C6D180C0E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259655Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:10.621{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56856887C0D5F472FED6F894819D3EC7,SHA256=FD9F96F9E90B89F7F61A39C6BB9BAF55A2F6D2B6B28B377359FB5128AFD0341E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259654Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:10.105{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8C2D586F2F121F167D77072E716843,SHA256=9D4C20A22A6A8EFEBC7B7886D86ACCAD7726B86C52685660546DBA439868EA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:11.340{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79EF84359344B4AB02E8AA59323ECCC,SHA256=561F722E630BE36194F8E3374162195B65392148D0F7E975D91EC623DBCA1800,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259657Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:08.692{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3380-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259656Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:11.183{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBF12FF4DE733299A44B0200B093CA9,SHA256=205D40B24194BA88C7EED8AE9523387B1626CDC9BC806DC4292EED1DDB23A6AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:08.563{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59184-false10.0.1.12-8000- 23542300x8000000000000000296657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:12.355{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEE63BB465720412D21A79E83B15567,SHA256=36194EFDCD25D0B100067DA55023E71054164DE468D2768A83503BEA5AC61542,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259660Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:10.193{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4939-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259659Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:12.183{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3101074A5C719A389175C88D0C6AF3B7,SHA256=F2D9D7FDC2A277BE20BB17253D7EEBBF8585999D54805AB770B78D4CBA8DAE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259658Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:12.058{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8E83E885DAD9832EBE3C87579E90C1E,SHA256=0CCA1D692A0A20B9BD024BA31E291F75A4601C9157E98AD105AE7C3F40F59FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:13.355{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A51BCE767A83B9FD33B8415CB8CADC,SHA256=F004851D15553A0D90A63A1AA8A9DB8B31E7CE11B5DFBCD4B2D30AC33296B421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259662Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:13.683{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9160C3F6EB0F18516021178546E3E3D2,SHA256=D7B31BB0995D8CBD9C1D7F30A55444ACD367218014E796B896BFA4FDB9018A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259661Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:13.199{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AEE2DBDE043DE8E9FDEB7894F4830D,SHA256=9B2D4A3760942407E4B49FFE20CAA19AD4FEA2209B16720E84BA093F11130EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:14.387{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AC8D7B6CDFA0E49BAFA04031A29134,SHA256=D3E26C1B314B16BC243257572D6B3AF645D09CAD05BF51A44A1169257D79BF91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259664Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:11.719{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6443-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259663Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:14.230{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFB72B654DD0ABF07A82F7FEC58CF3F,SHA256=74F11E409A06E53E68C3449F05B5A8D07418725007D415806289C677D50C3AAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259667Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:12.550{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50861-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259666Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:15.230{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED64695AF4F082FD52C8DAEAA93AEDC,SHA256=62F360909E3D85EB80DC8E14BC079E209922A2A7832A44F49BE341B5FDF3CC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:15.418{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90495D0F2F2A7E9D1E63F55F698C4E8,SHA256=D281F4032B5D4B0FEF185F7DFA583EEDE8758468D5E65330D1E0D895D3E4EBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259665Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:15.027{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE38D8EBC508F8E8DC5CE49C664F49AE,SHA256=618BB30C123600C4E6A91E45F437C5FD4E19ED387B30709FC2FAD2820462E8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259671Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:16.605{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B938766D12A574DA50B94F5D4C12EE10,SHA256=6F3CB29A46F222778C66F3717EEBBF52E925257AF5C20815679C9EDBF66DBD15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259670Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:14.613{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9409-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259669Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:13.238{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7841-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259668Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:16.261{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA14BC15497FF95A06E2DA05677905C9,SHA256=CDAA08A7F39C2794F3E38942466F638E52BD5950852929D9D4471DAC71C3D1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:16.418{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BD3E69D8D7B0409704F2384C655EDF,SHA256=13456C3CC0570E1E80F4FD4238C8310C71794F51DE7F9970D3C77D3B67AA2287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.683{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B457315DEF36F12DC97E34DBC46E26,SHA256=AE23491229EE51DC92375C626866B7A4BF728CEB8038773800CD55A724A868CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259673Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:17.949{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8E1B34BE4C08A8A2FDCAECA7EBE79D,SHA256=38833153D18BFBD9A1E8AB0B6B014AF91FC96F6331F6EC6614C5C59895F0B49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259672Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:17.277{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDB41527E8577F452F2CB7D9460B033,SHA256=C37FC0752693E742B94B93652A88A914667861FAB3E0EC5EB6C3243A9B543898,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:14.469{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59185-false10.0.1.12-8000- 10341000x8000000000000000296697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.168{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.168{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-8792-6149-AA29-00000000FB01}48165736C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\SYSTEM32\SndVolSSO.DLL+bf8a|C:\Windows\SYSTEM32\SndVolSSO.DLL+c112|C:\Windows\SYSTEM32\SndVolSSO.DLL+bb05|C:\Windows\SYSTEM32\SndVolSSO.DLL+7c7a|C:\Windows\SYSTEM32\SndVolSSO.DLL+1355|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000296662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.163{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,recordingC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000296702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:18.746{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AF1964D0C46F8E9F0AC4D0A1004774,SHA256=64261ABC2162FFA4F831A0F518F5870FCC086739CF602C4447F9BB3829A3FB0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259675Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:16.158{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-10990-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259674Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:18.293{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9081E4DFBE348A4CF44E27F020540C6,SHA256=0254D68AB20A7967B7AE4B56E5D63C61B90D5087390D4DDB2CE9BF42BC251FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:18.152{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED12C5722A5A62B32589B96949222B46,SHA256=2E294F880FA2744408BFEFB20EA9D48FC4F570EB2E893A11B96D86F37D67D5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:18.152{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F3B317B34548C3E8911673B4A4648C,SHA256=7EEA009B46830CD490E25C0BD1CAC1C418818B3C0F9BC6EBF61F68158C7A147A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:19.762{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FE326E3ADB2CAFE9F9662E7A07E517,SHA256=F4432C13F8E099C49F17EC7DFC90CA48BDDDD50749A35141837CB76C4CFA3E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259677Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:19.480{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50B1D2A14487AB4553E20E4AC6C28C04,SHA256=DBF8756C0FFBEEEB901C497549A1517A5DAF6FBA3F98A6B44EFDB1C692A2540A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259676Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:19.324{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2CF6E87A16AA6BBD8C1442FC50A3CA,SHA256=843A91009BEC7F4F05BBC6BAB2FD3B5FE58780A17118BFDA90C86AAB64848304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:20.777{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B366B95873FC733C1D87C37D42EF5F48,SHA256=7684BB67F4C0D41275A84FBDCF3AB1681AC653A4B26C469339435396215671D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259693Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9204-6149-2A27-00000000FC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259692Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259691Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259690Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259689Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259688Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259687Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259686Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259685Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259684Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259683Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9204-6149-2A27-00000000FC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259682Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9204-6149-2A27-00000000FC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259681Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.856{C189DCE5-9204-6149-2A27-00000000FC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259680Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:18.613{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50862-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259679Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:17.582{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12390-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259678Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.339{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94D458CB1A52AC88AA654E299798617,SHA256=4B616680DE0480794E563DE570FA0A9E779793544D18BD65AB79445331538ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:21.808{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41816259A05DCB76C0F0C66C1F383466,SHA256=EB4CEFC3C8A8029C1BE4BC571B336DA0D489514760B5B00954DBB75D89BD933B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259711Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.543{C189DCE5-9205-6149-2B27-00000000FC01}25523704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259710Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:19.138{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-13907-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000259709Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9205-6149-2B27-00000000FC01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259708Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259707Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259706Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259705Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259704Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259703Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259702Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259701Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259700Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259699Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9205-6149-2B27-00000000FC01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259698Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9205-6149-2B27-00000000FC01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259697Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.404{C189DCE5-9205-6149-2B27-00000000FC01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259696Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.355{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8892C722B44D094965E90E63755AA7A4,SHA256=B6C8F4BBB3B06E3B5B7C88E6AB56CB11849E77E6F5BAB50BB626796FDDCD99AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259695Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.027{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21F9847EB40931F868C1C0D6DC15C854,SHA256=B9083934596A24A00ADEFF99093ACB9ECE4749FD149447287FD34792C1429083,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259694Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.011{C189DCE5-9204-6149-2A27-00000000FC01}3768996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:22.840{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034735F406F62B06B2B4A7D59DD57036,SHA256=9BBBF00E7BF9EF291D0022D4001517420B7FA49D2E874982D2C9A52092508466,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259740Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9206-6149-2D27-00000000FC01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259739Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259738Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259737Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259736Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259735Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259734Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259733Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259732Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259731Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259730Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9206-6149-2D27-00000000FC01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259729Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9206-6149-2D27-00000000FC01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259728Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-9206-6149-2D27-00000000FC01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259727Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.543{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849B77AF0B4ABA0D14D139E3340F2C26,SHA256=91BE945903A220B37EE06C0A6372ED4EEFA888D181D63986A013A3F1F9424A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259726Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.543{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C75CCACF7621542DD7BB26B39409D3C,SHA256=5CAE19DC3923E2E28D7DE1D6FC555194846F20D3618E383F0ADEB6C3C998873F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259725Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.586{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15342-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000296706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:19.484{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59186-false10.0.1.12-8000- 10341000x8000000000000000259724Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9206-6149-2C27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259723Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259722Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259721Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259720Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259719Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259718Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259717Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259716Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259715Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259714Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9206-6149-2C27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259713Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9206-6149-2C27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259712Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.075{C189DCE5-9206-6149-2C27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:23.856{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D9140EE4EB4250821615ED1B2FE141,SHA256=25F3F4BB2DAD49E7B5D3C9FC42422EBC402828F32A12FE816E26448E33679731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259742Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:23.794{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2080C250B74CF06900A28CB948792882,SHA256=57E3B5FCFC330BCA7F785A9D174250154F21863477B59F67B7FC767B24963D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259741Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:23.450{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90A40D1B71A0BA923554CC49E20B73C,SHA256=D3016C247478A192E2F0BC2D7EB31682C36BFFD61DE22DA8BA9A3BDB8140BFFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:24.872{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A858673A6EC43EF8522B782BDAFB1E,SHA256=17338B7661D1EF2F084CAA48C4128F74A4E917B6A40A94B87950655E13A6255D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259759Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.856{C189DCE5-9208-6149-2E27-00000000FC01}12042448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259758Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.622{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9208-6149-2E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259757Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259756Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259755Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259754Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259753Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259752Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259751Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259750Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259749Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259748Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9208-6149-2E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259747Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9208-6149-2E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259746Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.607{C189DCE5-9208-6149-2E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259745Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.513{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C80C3F6498D0BD78F5AC1002A6EC3F4,SHA256=538D70514E72B80FE7BBF8794DEA6E29DBFB457E41D2144ED1D673AD71FCA141,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259744Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.100{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-16939-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259743Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.690{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com58361-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:25.872{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3BCD63451720033CFBBA865419ABE2,SHA256=1BDFF49096BBF0BC57D4B7ACAA306BF083B9B9FA607D36FE7FD1A8EFC634978E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259776Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.622{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59838F5AB01198EDB6A55880ECC29581,SHA256=CFECA01795D58597ECAC83E380DE81BABD1F0CCE138AEE168988DD191681F5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259775Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.591{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA4F3EFA6BFC780517A4E4490CC8139,SHA256=159F079FA835443925A2470F526E28FFA92252AC633BE8F7C1A99E5EF153815D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259774Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:23.614{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000259773Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.278{C189DCE5-9209-6149-2F27-00000000FC01}31843676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259772Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9209-6149-2F27-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259771Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259770Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259769Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259768Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259767Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259766Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259765Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259764Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259763Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259762Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9209-6149-2F27-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259761Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9209-6149-2F27-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259760Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.107{C189DCE5-9209-6149-2F27-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000259791Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-920A-6149-3027-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259790Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259789Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259788Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259787Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259786Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259785Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259784Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259783Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259782Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259781Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-920A-6149-3027-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259780Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-920A-6149-3027-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259779Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-920A-6149-3027-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259778Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EAA139E408DAA1A142F3904CBAE2ED,SHA256=956CC24CE03B8EDF3D1E707402C757524BB28350C778C633EAFB96136C67DCBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259777Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:23.736{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18528-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:26.888{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105DA3FF5696B23529DAE702D62E0F4E,SHA256=7DE386B4B6D5172B12C8944AD36FB08C5BEF9D713892EA59DD9DEC6BA745B021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259793Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:27.606{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46408C5E2BF84720CEE9E4A0AE8146A3,SHA256=1B9279A71DC487F4E8F0C0DC6346509A6D9FDB2DA8B40F22B2EC6E2F6E9115B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.403{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\TwinUI.dll+381436|C:\Windows\System32\TwinUI.dll+38153b|C:\Windows\System32\TwinUI.dll+37f40f|C:\Windows\System32\TwinUI.dll+1ee2e|C:\Windows\System32\TwinUI.dll+1e6df|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 354300x8000000000000000296749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:25.408{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59187-false10.0.1.12-8000- 23542300x8000000000000000296748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.247{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395B95A52935CFD8AF40DEB9DCD9A66C,SHA256=01A567DBB36D8A6418E5C7565E279AA8A94835448B6DCDAB8F5F1471597C663A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.185{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.185{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.185{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259792Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:27.075{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E536FAE99FEEE8526193DCA3593B783A,SHA256=B95764CA5388000FE53D1140F46A9B6EC9099B5EBFEA0169C1FA7E9C7F26E58A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.185{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+2129ac|C:\Windows\System32\TwinUI.dll+b7750|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000296732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+2129ac|C:\Windows\System32\TwinUI.dll+b7750|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000296731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-A129-00000000FB01}43164684C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-A129-00000000FB01}43164684C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000296720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.091{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259796Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.175{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20080-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259795Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:28.606{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F6C69BB549F8747C677E95B46911D5,SHA256=1C211701481D16B002519DED4F784292BEC3563EDA0C33BDBDB83156D2581FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:28.622{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=743FE81033A4E356E69BEE96BCA440D2,SHA256=4FD1671B7801A319FD108F05883C394172EFCFBE82F68413239A8AC9614A99A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:28.357{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:28.357{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+106d66|C:\Windows\System32\TwinUI.dll+fcc75|C:\Windows\System32\TwinUI.dll+feecd|C:\Windows\System32\TwinUI.dll+17f1e8|C:\Windows\System32\TwinUI.dll+1539d7|C:\Windows\System32\TwinUI.dll+253f8e|C:\Windows\System32\TwinUI.dll+37e6ad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 10341000x8000000000000000296752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:28.357{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+106d66|C:\Windows\System32\TwinUI.dll+fcc75|C:\Windows\System32\TwinUI.dll+feecd|C:\Windows\System32\TwinUI.dll+17f1e8|C:\Windows\System32\TwinUI.dll+1539d7|C:\Windows\System32\TwinUI.dll+253f8e|C:\Windows\System32\TwinUI.dll+37e6ad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 23542300x8000000000000000296751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:28.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBD4741B82AF9C4B23490A2365EA3BA,SHA256=29528670B2E8FBE5DD7161DDE1291A90EAF56E904D4CA2BF3CD640B0E4405328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259794Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:28.544{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C362E97FCB0AAEC54997571909C98D1D,SHA256=A99AAA6671B120AF82E1897D5F5ACCFB7D9BA274494E09EBAB6BC7652F455446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259799Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:29.919{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F1F5514F8987C134DC964D46C1BF8B4,SHA256=26C9F19B7056E5A87009679496A12E62F934BB1E6D57855B5C3A1855A0F0B1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259798Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.656{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-21581-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259797Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:29.622{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F03FA0B32F5059E1D70927B58F90E5,SHA256=FCA5A6C6B143BD9AA6632C30ED4D2623FCD039BDD111830375CCB6BE951CD99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:29.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29D57FD9E5F5BC88E11ACD0BAE7187D,SHA256=0643DF2746363BA76FC7F204935F9B980A32F3D15692E8C8412F5F497924ABB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259801Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:28.151{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23074-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259800Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:30.637{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA3D5A4EEF18ACDB353BD9997BC0377,SHA256=952DAF0CB75BD73F15D2FF93045556ECA530C8D1EEF7F516C168968CC297E920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:30.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED84580A242397B9C58A4BB542B5485,SHA256=915BE46B5F05D258004F279699D6BE627D292F43D8CE92776EB104A28A031EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259803Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:31.653{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC2F38C1C9A1B5027A2DF151AC7742A,SHA256=A17BA5F93CA92D1ADAE2EC00FDB062A0ED19AC3DD023F0F831CD62EC5A6BB7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:31.075{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0604E25E51240069E56718EBF2D875CB,SHA256=226D0D4BB20B96F52565628889F56959C31F244EBD8B0E2D4D04F664CE88C904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259802Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:31.356{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9819AB8F22AC3BE8C0C251934E45F6BD,SHA256=5068E8788786C636CEF73CDB71CBC79306F3365580CB8DE8B97AFDF196BABA96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259807Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:29.567{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50864-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259806Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:29.478{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-24544-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259805Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:32.700{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43861AB02DB458165389588411953304,SHA256=BBA034DFE2BDAA4A63568AD122910B930631FF522C8E3B142512ADF0C25545C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259804Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:32.700{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6292FE470FB939C41AB7CACDC247F07,SHA256=3EE7B709A995674E7A10E46A413C9C44DB19EAFB294E3CD4EFFE226AFB226900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:32.091{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D77C9735C06399FE8E7EE56A877BA9F,SHA256=744629C551AD0B6153B237AC8C2D2DE4B29C06660B42D4B46F9A4F381491BA84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259809Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:30.908{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25849-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259808Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:33.716{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF25AB54A835B8487032DF2BB802619,SHA256=AD4437FFD83AE30234180E56760B9ADEC90F483342725E0B3FCC86DC858C267F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:31.345{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59188-false10.0.1.12-8000- 23542300x8000000000000000296760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:33.107{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0C18FF2D3D14E6CE3346E0A9EB263E,SHA256=C62296400FB1D14FBFB6E22808FB096077E89B8F7A6A20D2C188E3122B443BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259814Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:32.385{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27422-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259813Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:32.384{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27419-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259812Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:32.292{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27258-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259811Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:34.778{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD27D53AD2E3C229CC39DD650501503,SHA256=5FA520B4047E9B9A95C9A2FCE784B2E830F1886012B7775AD34093C9133CFCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:34.122{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5570AC947FD7039BBCCF6769345FB0EF,SHA256=02E434B762211F40F5C82F894BB78F1F8E84340AD1DE483DE2955955EA29D7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259810Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:34.325{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEE87FE0D25822A9B96A2DE11DC2895B,SHA256=0412D9E15D97EF269F4B4A9B698204BBA90809BCD9B92FF5C3018F3E38FF3341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259818Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.981{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9ADBFA4614269FFA06F7C9B786346A1,SHA256=2BD443AF2821EB56E8C146139ADB602C87399E84E4288823B03731AB23B274AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259817Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:33.974{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29016-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259816Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:33.957{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28971-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259815Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.825{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B319D02CD4A194960D94272B4435E52,SHA256=BA5F1F0FD6B5A969E93521F8A3BD9E0FA173E80DB469AD6A74B790EE21215221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:35.153{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E067E659D31CCE44BB26B2062D25B1D,SHA256=D828AAC884C0D73247CDAFB3A3C2D7979EF9D2553320317A8620DA384074C81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259820Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:36.825{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B4C94326617857F52143BA2CEF1216,SHA256=1214BD9E36D2C57D6DDD831B481BEE39F6E2B99B9AED020609A5F5A28A495D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:36.409{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:36.366{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:36.329{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1371MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:36.170{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E69721574A3510BDFDAD05F817A0B9,SHA256=BF3AC4259A17270B1C8B1F64D2059D95B0D69219176CD257197F5FE801346A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259819Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:36.278{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259822Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:37.872{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55171E34D3DCFEF5278F7E8729092C77,SHA256=BE6C19E9866121B462F5E605F43F27777644E4AD883AD4E38B2D3872254262DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:35.703{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59189-false10.0.1.12-8089- 23542300x8000000000000000296769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:37.332{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1372MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:37.175{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDF4D110E1923839C27357E23F39E45,SHA256=81C4EF598486CE02C821148908C732B35D38F0578EA1A556349592203F7C44DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259821Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:37.481{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C825CF0EBD20677DA1AD427FE61F4288,SHA256=A9329C5F61A62564598F9122E17566A0E857BEE57D547627891D28AE15C5CFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259827Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:38.872{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6AA3EC2F648D62B0FA869C88FF5BCB,SHA256=F59554E12431416032287E4EED5D433878CA8A33BE007E9D1C3A9757F0BC9FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:38.208{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC61FDDAF1E784A57CD9841467D80818,SHA256=B8FB8D604A8807A262C15EC65CBB77C2EA002938B2D1A2AB3E833532EEC3CAFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259826Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.754{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50866-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000259825Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.580{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-30604-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259824Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.549{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-30580-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259823Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.535{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50865-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259831Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:39.919{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD25F7C5EFD0EA2954E73C413E57DB3,SHA256=6D82C301F3B1274ADF9B0EEB4BAC52DE176F874AE3D89477731C8859368054E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:36.476{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59190-false10.0.1.12-8000- 23542300x8000000000000000296772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:39.223{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A210AEDAA602F67203148F3AE906E99,SHA256=1C246565F480490544F1AF4050E4C6AEA4F3E5026414AF547964DB81F8F8F163,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259830Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:37.112{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32200-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259829Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:37.088{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32156-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259828Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:39.012{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79AC2CCFF2014830D66C3400081404A5,SHA256=9A9A82288957EF2EDEC84FEABD7F031633CB3739B304AA8ACB76E9364BC1FA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259833Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:40.950{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95150740322241D3442A8D2F016B3FF,SHA256=BACC2F46FE08A81F96C57BFEDC0E1EFCACAE572DFE84B2F4E947085C76415129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:40.239{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39613A5E5180FA685502BA5D2A4AB588,SHA256=4E8B521B3D86ACB2B125DBCD9395AD6CFB9C6381B5E2AAB58BC44BA537BCE6D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259832Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:40.450{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B4CFD3289A978AC17BDBC52B1C1E534,SHA256=A46D8F20002933A22D52A9ED153DDB0B5C7B04A3E1B574C53AB1FB1E93F5F8F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259837Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:41.981{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23BF021486B7E5B1595717609084336,SHA256=F3B9C6CEB739192E9BD1F8588734957A543989DA288E604E9862DB43EED0E4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:41.270{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D8A3090ABC10E1E86D4DEE2059761A,SHA256=2724EBBD763C895710C4137219636EFDCB1DECF93B38E4BA10BEC1965F67494F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259836Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:41.778{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4DA47E4476913F8FEF9986EE7677164,SHA256=69A46E2BF21086DB4F1F3803778A9319AE97E31BBE393C42F54B08AED75A0DA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259835Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:38.596{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33792-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259834Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:38.587{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33770-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259841Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:42.984{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2C5AFE6A360027FE0F2072B17C00FC,SHA256=D61F1C7497C6D4B7F1788F0B8F98FB9AFD13EE1C4309678DA889EAFE6DA1837D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:42.301{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F31733C11D9B359E3638981411F713,SHA256=83AEFE5B226B36A6B96060D09E2202D99413D9DDFD13D6FE0DDE94321DE7D74E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259840Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:40.707{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50867-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259839Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:40.145{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35315-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259838Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:40.002{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35184-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:43.312{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA812AEEEF98840F3C452DE165BCB8BF,SHA256=D55C0FAB2FF53589B72D3D9415DE4FB2DFD3FF86B8B16FE2F8C16174769FF88A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259845Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:41.661{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36908-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259844Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:41.421{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36652-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259843Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:43.438{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1363MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259842Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:43.249{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E9322BC9EB9BF33069AF525D0897494,SHA256=45B4EB8D2D781E86D4CE55F5FC9B56D5015274066BB9F17570001D8388CB1045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:43.139{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000296780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:42.368{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59191-false10.0.1.12-8000- 23542300x8000000000000000296779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:44.328{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA99C767F62139D0E368AD5BFF425923,SHA256=54B78B7353D7FD631C0B82D19C4E330B432E0FF37157D238AFF18DA845F641AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259848Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:44.824{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7A41C6C995A51A2D87FF1B4E3934512,SHA256=0245F1E223FFC5687C9E085826E9D26DA222F98BBD6785035A36F43729C89AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259847Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:44.452{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1364MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259846Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:44.060{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA259C34A0C1E68CCEE5A9D28CEBF27B,SHA256=A7089A555559697361CDE86DED67DB99F935BA09CCF0470FDC4E8DD4A64973C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:45.343{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060041186C5912FF1F9267A89FDA408E,SHA256=C7EFEBA00E08739CED594A78B70AEDD673EA7D5DA8F0610E28719B2D99DBC793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259849Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:45.077{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC51DA37EDBE0002D0E62319543F1F18,SHA256=6C747432EBB26348E69113437271B82C560E79587FB4551590AE4676740FBA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:46.359{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143AC4A159ACB841E0A1C2C125F388BB,SHA256=9ABE9AF271C5273631992CA0117EE86F074173B517298A69247CD4A0E5BD406C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259853Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:46.530{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C6474ED64C120545363BB683452FAF,SHA256=EBA746E3BBA4E22913E15D901276A2E7188EBFE0DDACB3CA4DCB80851107AEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259852Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:46.092{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89149E52CDC1899AE06C46CB1E8B6E2E,SHA256=C49A2E86114E001852FBC8F610C6C3914295814F5AE807ADEF5414E1CEF543A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259851Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:42.973{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38249-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259850Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:42.883{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38057-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:47.359{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6031A6F46251699BD819479C8F17C2,SHA256=B8F96221274198D18BC39EDA52467229C7059352DFDE0B48822C3FA7F75EF2D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259856Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:44.611{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39760-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259855Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:44.567{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39655-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259854Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:47.108{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5289B2D42A23723EE4849B5C2BF79DD,SHA256=EA1052821AD8C55F8DB98D1DAFC8760840D215B9F88DCB7D445DD4A24AD70725,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000296792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000296791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0508ab6a) 13241300x8000000000000000296790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0xf61a1721) 13241300x8000000000000000296789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebf-0x57de7f21) 13241300x8000000000000000296788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0xb9a2e721) 13241300x8000000000000000296787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000296786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0508ab6a) 13241300x8000000000000000296785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0xf61a1721) 13241300x8000000000000000296784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebf-0x57de7f21) 13241300x8000000000000000296783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0xb9a2e721) 23542300x8000000000000000296836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.625{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DFB154D18F1E6105D8300CEED8FD4C,SHA256=DAC33C4EE250193C8FAFAE10D6D1F5267AA2D0473852F5DB0D11AA657A99803B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259861Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:46.265{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41308-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259860Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:46.265{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41309-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259859Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:45.740{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50868-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259858Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:48.123{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B6CDC48798AACB461953E09C4D21B9C,SHA256=6522BDDB73A9C4C76E7B55ADAE68DEF62A62E882B237CD542B5C0623827C7238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259857Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:48.123{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9515D18F712FFC3E0B50107FF634AB0B,SHA256=8C99EC1F90F5CC10E80AB24369922BCF0E1648E4E71A9D0D659D01FD7E35A4EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:49.640{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA77B61C3BCA3873C680552FAB79AFF,SHA256=7831B167C95FB50D0E7D7ED52B3ACA0CAA39DB76006BA0F8B7D5F2471CEC04F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259863Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:49.530{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B52BC3F9E23F621132DAC43778C2691E,SHA256=C80E0F3EE2FC1B7F5D898A1C87E188767FF509B675F3F7DC074AA2A85A3FBA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259862Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:49.155{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEAE4ADB6CFCA525E36739CEB8581884,SHA256=CC8959A705337296B3FA96F4895721E19C2C77A6A2343009DFAC2924ED3B700F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:50.656{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39D222B4C594F53F9A137AB597F55F3,SHA256=DA7F366EC742EE2B87530A7949120C5616EABA344591E426E445C62EBF467515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259867Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:50.202{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DED2A659017931DFF55F85099065E4,SHA256=A100E00792FB0032B242EE9A6E3954B649AEBFC6C2458098F622F6EEABB23AB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259866Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:47.798{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com57264-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259865Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:47.720{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42859-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259864Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:47.702{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42842-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000296838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:47.535{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59192-false10.0.1.12-8000- 23542300x8000000000000000296840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:51.656{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E34EE77AC0E43A2B39EE0C1DD57DB0,SHA256=2675EC578A7A3370EA18AA498E1E882744786151E6B8894B3A48E8A6B2DDD96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259869Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:51.420{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878C50163AE1CE9DED5C07E103F54A47,SHA256=4F016002B8DF0A7D1B60BE94BE30B7E7CC4BAFF431CE80550956DD3C2D929880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259868Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:51.139{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=536CA7666F085BBC1A29ABB650B538AC,SHA256=8167125E517A4F23AB36B2AC93B8FCC035D1B322E542363978C0578F07A2717F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.687{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F179BA31CBA9E5F46BF942AFCA8BCD0,SHA256=26ED24F6BD375744B2EDF4E9FF939114BCFCF2DCFD7242D6E6C5CB58B3973857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259873Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:52.639{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FB29B5440FAF53D8E071876C293A477,SHA256=68CFE5A55C431B5D24A2B94233DF7C97CE9D71A42B4E50FCE9E84F02321E60DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259872Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:52.452{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DE7B6F3C555CE5EC2DE05E7CC6D0624,SHA256=D040DE498388A1EC8C7B851AD6ED857742B3501E51E908E93DE56F5FB2A0C175,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9224-6149-9D2B-00000000FB01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9224-6149-9D2B-00000000FB01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9224-6149-9D2B-00000000FB01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-9224-6149-9D2B-00000000FB01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259871Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:49.421{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44596-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259870Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:49.247{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44407-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.906{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DB37FAA7FF9A34714EF281A3B39647,SHA256=87CECE67806FAE4789DA96D9C2FE154D7899189A8BBD2FF1865EB8DABFF2C9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259875Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:53.483{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE94D6661A76FFEE5BA79268D0E6EC85,SHA256=4C90C449AF50528E98BF89730F7DC24034FBADECB6B311EBD383BEE03510760E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9225-6149-9F2B-00000000FB01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9225-6149-9F2B-00000000FB01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9225-6149-9F2B-00000000FB01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.860{5097E253-9225-6149-9F2B-00000000FB01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9225-6149-9E2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9225-6149-9E2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9225-6149-9E2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.188{5097E253-9225-6149-9E2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259874Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:50.705{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45922-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259879Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:54.498{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182C1E6602EA63C9A4A186C33A7D7868,SHA256=9A81C53259FD77D794EA247CDB969EBEE3FB6A2EB3FCF2A82B39D924E6BCED30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.703{5097E253-9226-6149-A22B-00000000FB01}64405992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9226-6149-A22B-00000000FB01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9226-6149-A22B-00000000FB01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9226-6149-A22B-00000000FB01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.532{5097E253-9226-6149-A22B-00000000FB01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+11d44|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+11d44|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.437{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.437{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.437{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.421{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7376|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-9226-6149-A02B-00000000FB01}33124240C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+8b85|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.410{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2MediumMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000296877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-9226-6149-A02B-00000000FB01}33124240C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7376|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483D-6148-1300-00000000FB01}9205536C:\Windows\System32\svchost.exe{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483D-6148-1300-00000000FB01}9205536C:\Windows\System32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.375{5097E253-8792-6149-AA29-00000000FB01}48167424C:\Windows\Explorer.EXE{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\windows.storage.dll+10932|C:\Windows\System32\windows.storage.dll+10629|C:\Windows\System32\windows.storage.dll+104ff|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000296868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.385{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000296867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.015{5097E253-9225-6149-9F2B-00000000FB01}3841896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259878Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:51.631{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259877Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:51.042{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46071-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259876Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:54.155{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=097977DB1A9C5864D2D4942154AFE6AF,SHA256=15D28493829022AAFF17866C5112B027097059AC07EEEC6951E90D57B95DBD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259883Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:55.733{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C04AE55A7D88B9311D344C467A3A060,SHA256=7856EE91C95278D6B8DCD78D99371D2F5C2C95F23DF70597DD1F788EABEF7271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259882Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:55.514{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAEFE13D21F7E930A0F477FAC41FBAA,SHA256=789B0BF2C92A1D09A41B7E389FF3A5B42B526A1C0DEAD836447413309CEB5908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.984{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000297029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.984{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000297028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.984{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000004498B33E5F) 10341000x8000000000000000297027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.984{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b52aff|C:\Program Files\Mozilla Firefox\xul.dll+73e84|C:\Program Files\Mozilla Firefox\xul.dll+12470d8|C:\Program Files\Mozilla Firefox\xul.dll+8ad21|C:\Program Files\Mozilla Firefox\xul.dll+8ac78|C:\Program Files\Mozilla Firefox\xul.dll+abdcbe|C:\Program Files\Mozilla Firefox\xul.dll+8723f|C:\Program Files\Mozilla Firefox\xul.dll+c2fb2b|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+1bb4759|C:\Program Files\Mozilla Firefox\xul.dll+1b5f3a6|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+19eeeaf 10341000x8000000000000000297026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.968{5097E253-9226-6149-A12B-00000000FB01}44203160C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.953{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.953{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.953{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000297018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000297017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c 10341000x8000000000000000297015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x8000000000000000297008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x8000000000000000297007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x8000000000000000297006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.921{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.921{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.921{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000296999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.921{5097E253-9227-6149-A42B-00000000FB01}4180\chrome.4420.2.11509637C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.921{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.921{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000296996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:55.921{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.2.11509637C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000296995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.921{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.1.187520144C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-9226-6149-A12B-00000000FB01}44205300C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000296993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.906{5097E253-9226-6149-A12B-00000000FB01}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-9227-6149-A52B-00000000FB01}61486816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b5f85d|C:\Program Files\Mozilla Firefox\xul.dll+b6f7fa|C:\Program Files\Mozilla Firefox\xul.dll+b4ce69|C:\Program Files\Mozilla Firefox\xul.dll+b625a0|C:\Program Files\Mozilla Firefox\xul.dll+1a1a5c2|C:\Program Files\Mozilla Firefox\xul.dll+19205a2|C:\Program Files\Mozilla Firefox\xul.dll+191e8cd|C:\Program Files\Mozilla Firefox\xul.dll+3858d8|C:\Program Files\Mozilla Firefox\xul.dll+fb7376|C:\Program Files\Mozilla Firefox\xul.dll+fb6c0d|C:\Program Files\Mozilla Firefox\xul.dll+fb6e03|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457 10341000x8000000000000000296989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 23542300x8000000000000000296988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A09511A8B248A51CFC523E807AE1805,SHA256=BE584FED3F55E245C15ED2D35F38DA8A2D56B6FD27AF7E26F5674EDCCBF64839,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.875{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d 10341000x8000000000000000296985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x8000000000000000296984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82 10341000x8000000000000000296983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca 10341000x8000000000000000296982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x8000000000000000296981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x8000000000000000296980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d 10341000x8000000000000000296979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.828{5097E253-9226-6149-A12B-00000000FB01}44204848C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.1.1875201444\1889276190" -childID 1 -isForBrowser -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 697 -prefMapSize 244831 -jsInit 1120 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 2172 1e78d59b738 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000296971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:55.828{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.1.187520144C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.812{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 10341000x8000000000000000296969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.812{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 10341000x8000000000000000296968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.812{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 23542300x8000000000000000296967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.765{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A67F09A6CB3F4CEE871205731501D3,SHA256=CD24DC5D6190CAD0485B944550303D7E6E73CE3883054E1EC4543918EE7F9C47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9227-6149-A52B-00000000FB01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9227-6149-A52B-00000000FB01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9227-6149-A52B-00000000FB01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.724{5097E253-9227-6149-A52B-00000000FB01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9BC2E3FE1AE1047B3D277E784CBA870,SHA256=3987F9B79D26E069DD1F4E8B1972ACB4E899D4F1DDB9B30E2DAF91B35AD73A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.656{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.656{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.640{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.640{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+12932|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+45ff|c:\windows\system32\audiosrv.dll+2a963|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.578{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\doomed\22963MD5=B73D477915D0124D2E49398EDEA50A66,SHA256=AF0AF6C7452AA5A8CFA70AD371FF0FE3C0170BE84E53C9F377C8C4CC5C3E97D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.578{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.578{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.578{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.578{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000296939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.578{5097E253-9227-6149-A42B-00000000FB01}4180\chrome.4420.0.161662067C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.562{5097E253-9226-6149-A12B-00000000FB01}44205300C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000296937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.562{5097E253-9227-6149-A42B-00000000FB01}4180\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.562{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.562{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-9226-6149-A12B-00000000FB01}44204848C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+1756ea4|C:\Program Files\Mozilla Firefox\xul.dll+9fbc79|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.548{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.0.1616620670\1728258852" -parentBuildID 20210903235534 -prefsHandle 1320 -prefMapHandle 1312 -prefsLen 1 -prefMapSize 244831 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 1428 1e7ff162d38 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2MediumMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000296924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:55.546{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.0.161662067C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000296923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:55.546{5097E253-9226-6149-A12B-00000000FB01}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000296922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9BC2E3FE1AE1047B3D277E784CBA870,SHA256=3987F9B79D26E069DD1F4E8B1972ACB4E899D4F1DDB9B30E2DAF91B35AD73A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5B2D22AFD03D90F809C234B7428EDD,SHA256=11A58E755556D256E6513AE1A334E077F8E8F811E3FF34E9A46FAD7EC40CC928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED12C5722A5A62B32589B96949222B46,SHA256=2E294F880FA2744408BFEFB20EA9D48FC4F570EB2E893A11B96D86F37D67D5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.484{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.359{5097E253-9227-6149-A32B-00000000FB01}74687712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9227-6149-A32B-00000000FB01}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9227-6149-A32B-00000000FB01}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9227-6149-A32B-00000000FB01}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.204{5097E253-9227-6149-A32B-00000000FB01}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259881Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:52.735{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47898-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259880Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:52.197{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47537-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000297235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.923{5097E253-9226-6149-A12B-00000000FB01}44203160C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.923{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.923{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.907{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.907{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.907{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A10C71A49B561E11E3470ACCA1FC762,SHA256=34C653312BB80C2E9D465DBDD74EB0DDD1DBB5BE4EACEC43AAE07C551F864841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000297228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000297227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.892{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.892{5097E253-9227-6149-A42B-00000000FB01}4180\chrome.4420.6.41327713C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.892{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c272c|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000297222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.6.41327713C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000297221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.5.27724511C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.876{5097E253-9226-6149-A12B-00000000FB01}44205300C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.876{5097E253-9226-6149-A12B-00000000FB01}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x8000000000000000297216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44204848C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000297193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.849{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.5.277245112\1007150842" -childID 3 -isForBrowser -prefsHandle 4012 -prefMapHandle 4280 -prefsLen 7186 -prefMapSize 244831 -jsInit 1120 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 4316 1e7921b2938 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000297192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.839{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.5.27724511C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000297191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.708{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.692{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA170B81BAAD4B7C81C375FC408D4CFB,SHA256=A57A4F5D7E3A24E4ECEBC171B51A4B4608E94FB64176DE90CFCB5E0F92AD8C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.676{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE3B619C63C31BDA5C3824A0B9F162F,SHA256=E0518DD1E014CF2F2CBF778B8C891941A1C6BBBF962814807FE1E83C81D3C8D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.623{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.623{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.623{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.623{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.545{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.545{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.524{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=0328245E8F5D6BC987C6685144538496,SHA256=9813055FB3E82CE974D6F2A7D8A6DCBB0879DBC98D840602174C9AFC90568BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.524{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=5D4E4BBDE04F52457A4E3E4EB25209F7,SHA256=59FFEDEA0674FA13DE1F920AE3AA7DBC375CBFA28BB8B7F1783ED6DC79A5B1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.524{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=80340E65A4566454C4247FDB04E934CF,SHA256=368B8E55AB17C3E228ECF7397A9EF4C533C20417EDCACAE6270A2123E51FD552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=9D93EB60DC97C82AD2E9F4E3463AD200,SHA256=35007C486644AC055E9519A7208981D415AA2058EDE779234096EE7094FC99EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=C9D8BF8DADBAE1853F39EBC3FBECD081,SHA256=FE9770A3AA08CD5BD42C0F306503ADD47BA925B630FBBD330FBB3B27A5303E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=188D79E1F278F210601049117B35438C,SHA256=29B5A11B1200BF084F0308CD4A3A959A58A7308BE89B5051DD2059FB91E0ECC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=91F58FA4B6A83D0E786D7C6C6351030C,SHA256=B39256DD11C0CD6566E6C81C7F0919B0681DA1FB0EF602CEFC5C705609AAA844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=86D734071098CFD62911A8FA9C87D6A3,SHA256=1049B7A6EF95F80D97547E5D8B154189E972EC26F27CE29874BA1E44509A5FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=2216E19DFD331F1FF76C092321B56485,SHA256=650FA75C893FF6798F6022D4707F7C0CE1079C97C77FC702FF543DE4452A287A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=24C8C77B00C2FC97F8AFF34C78A26FB0,SHA256=B23DC3FF21703FE7A8D3B42E9963601AD666BDF91C209D1D356386EACD107A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=CA44C2C54AE0B72FA1D43843EDF4306F,SHA256=30E5BDF6AEFCCBAF0CD0194E4F350EAD0978D1C668A35FB9EF3DB7A8A0BC1B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=07AAC8781B5C7A1D4D4086057081F10D,SHA256=D30543C0C95643B1B87E1324BB751CF43F4494EB934C41447EF00A4C57A99AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=29629223838B150D32066B47A37D7B22,SHA256=BD5F217A0FF45B6696BCB865E88F58B822747F19195062B0DE96D014191E5320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=7BD89D98295FAD91A797A361F505EF8C,SHA256=813A5BAD526A1FE1793B541F13FC5B54B9621CD6A68914D312D70EE59908F93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=D403884AAB8A13FDC77100D40F712E6E,SHA256=858D67BD4F9D40423569B63B1AA7BE2850B42173B4D8E6FA48A433A54273F2CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=DEA94695AAB300A0DF65B6A37F79F08D,SHA256=DED66BAB1F3916D63C22296069165A980FDAF7825A40B8959D79758F620FDA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=35DA86BFDA8984A6D49A73C7EB60874C,SHA256=1A293527B40BD97DBC4AE8552923CD7D438B9C2CEAE9B1BD7B8563935FDCB935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=2216E19DFD331F1FF76C092321B56485,SHA256=650FA75C893FF6798F6022D4707F7C0CE1079C97C77FC702FF543DE4452A287A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259886Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:56.514{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C063B92E7719760454C65B71DB45E36,SHA256=21084031072B79090426BC9372ACE0DA119ED166C6D5BDE553CBBB61BC79A99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=6925DA2F4982C34937214D5D121975F6,SHA256=29D6F0E6E0C20364C830B256D6653EF62B14CBDF03B2C0CCB80A7A32FD56859D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\update-config.jsonMD5=7ABFFE156CFCF61314ACF60B8B8CADE8,SHA256=D33B384DA2A6542D3F4892AAE6CAFCB2B769D867533F71EBF28DACA82EF68CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=3B525D20AB0FD94A6337A1305026B6C4,SHA256=1FFC3B216DD0B23F73D3E1F722FD7AE8EE9BDB41530ED924C6E01D085CEFED3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=2C3D768B790EED2F0D1DC79FBF7D96BF,SHA256=378A5FACD0945C9ACCE71D3B6E0FD9859F9B272763FDBD2C8094EC1F334FB7A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.377{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b7b74f|C:\Program Files\Mozilla Firefox\xul.dll+1ab2937|C:\Program Files\Mozilla Firefox\xul.dll+efa040|C:\Program Files\Mozilla Firefox\xul.dll+bfb6f4|C:\Program Files\Mozilla Firefox\xul.dll+3136cd|C:\Program Files\Mozilla Firefox\xul.dll+399c9b|C:\Program Files\Mozilla Firefox\xul.dll+39949d|C:\Program Files\Mozilla Firefox\xul.dll+be61ca|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355 10341000x8000000000000000297149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.377{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c|C:\Program Files\Mozilla Firefox\xul.dll+be9f77 23542300x8000000000000000297148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.324{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE43EB95DB4E639E0A1563011983DEDA,SHA256=51E177280FEBB380EE4E36D23131A47AE58F8B458217E80F68F437847D7EA1AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.308{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.308{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x8000000000000000297145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.277{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44203160C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c 23542300x8000000000000000297116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99027F90B51E70503307A871C1075772,SHA256=1E81553267D98B8AAD24E7AF1B20000B9BF816BD22EC11F918714D57CCF27573,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.245{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.245{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.245{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.241{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000297097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000297096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-1C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000297095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.535{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59193-false10.0.1.12-8000- 354300x8000000000000000259885Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:54.275{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49471-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259884Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:53.815{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49016-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000297094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=397D18E4F2341FCD0382F52D06816BB8,SHA256=2F786886EBB6BA2B287403A08B21D62A94D14A6BC7E49AF5852E2464BD2EC93C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000297086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.193{5097E253-9227-6149-A42B-00000000FB01}4180\chrome.4420.4.109945293C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000297084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.4.109945293C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.193{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.3.93426360C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}44205300C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000297077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.177{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F30B5789114E63EA3E3CA0D94F440D,SHA256=3C69CE412CC6282AA6AD31F3DBB0DD5B090AC9FE0DD269CAD63044227A416A1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147 10341000x8000000000000000297075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x8000000000000000297074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8 10341000x8000000000000000297064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x8000000000000000297063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x8000000000000000297062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f 10341000x8000000000000000297061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147 10341000x8000000000000000297060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-9226-6149-A12B-00000000FB01}44204848C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000297053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.155{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.3.934263603\1130842543" -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 6352 -prefMapSize 244831 -jsInit 1120 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 3536 1e78f52cb38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000297052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000297051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.144{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.3.93426360C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000297050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.142{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.124{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8459EB1D6CE112133358D0E349DD1ACB,SHA256=D7CE2B6A63F7B4FD4E68E0F424CE420657C0075FDAFE8B706E115EAFACE9399B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.108{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.062{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDD96DE91E3936F5D2DF6A23BA73B63,SHA256=E708FF3A464A9FEC90C8F8369189F0428954EBF9F4E4F412AF0CFCCA6BBCE1CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.046{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.046{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.042{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 10341000x8000000000000000297043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.042{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 10341000x8000000000000000297042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.042{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 23542300x8000000000000000297041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.040{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD60CE0473182CF8F8BEBDB44B95736C,SHA256=3C1FF370CAD1B07C654F2ACF75DF7B7D2A37ECF6C0DC39F0D5287DF21C0556A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.035{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.035{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.035{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.035{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.033{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.033{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.033{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.032{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.032{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000297031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.015{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5C0CF1D0A3F8D41DBB530CC47CB028,SHA256=7FF9624C41AB8825630AFBEB4BB27917EA9690DEEA662CEE48F0C946568837A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.896{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59213-false93.184.220.29-80http 354300x8000000000000000297365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.895{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59212-false93.184.220.29-80http 354300x8000000000000000297364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.894{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59206-false35.167.102.239ec2-35-167-102-239.us-west-2.compute.amazonaws.com443https 354300x8000000000000000297363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.892{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59207-false35.167.102.239ec2-35-167-102-239.us-west-2.compute.amazonaws.com443https 354300x8000000000000000297362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.883{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52451- 354300x8000000000000000297361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.876{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62513- 354300x8000000000000000297360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.876{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49696- 354300x8000000000000000297359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.875{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63240- 354300x8000000000000000297358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.874{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64053- 354300x8000000000000000297357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.874{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63204- 354300x8000000000000000297356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.874{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58871- 354300x8000000000000000297355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.872{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63309- 354300x8000000000000000297354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.871{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63236- 354300x8000000000000000297353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.871{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63857- 354300x8000000000000000297352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.870{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60507- 354300x8000000000000000297351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.870{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49578- 354300x8000000000000000297350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.868{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local65200- 354300x8000000000000000297349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.868{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58870- 354300x8000000000000000297348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.844{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59210-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000297347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.844{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59210-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000297346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=489DDF1C6CFFF3875F1BECD21EE3A913,SHA256=10226DBCFA9F6058B8A2FF0536E4A23EAF40F4CC71CC6168647D97C1D538D4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=389A58B23D79C07A11D5FFBCE3056235,SHA256=D317C6126B7D1832AE9A9155DE1F38D5C816226790ED9442F55868B165CEE8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=AEA41B2D76C79B6A133AF4C425CE0C2B,SHA256=56CE1EEFB867B18201893BF7669AA997F69C78D2EFBD902553D664F237439CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=6857A4406C0ECACD916A3007A5C2A153,SHA256=778AE8D3F4E0818AAB63682D1715DD58125193E71B97F222EC6AC2135221D477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DFAE4C9D8900A794C9DFDE4404930786,SHA256=CCB7A34A1BF7172197D627F76E4C9E0328B777402A2B0A59F09A0A50A8A5051D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=9B365E8EA9A833CAC3ABEFE7AFF9E22A,SHA256=3A2C0517773855834A132E55421189A724EE88CA677F4DAF41AC1454711D35BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=55CBB0A6771CED8E0145F83053A0E86D,SHA256=3D7A7E394C5087DF66DEC4E81BF4A751FACCA1A7A71E21E5C95E9444E276261B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=5ACD66DB29AFABE23566110E44DBD5E7,SHA256=AD73B565DED09760945E8AC426CD4D16C8DEB3C202E8ABAD356EABF62137D2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=AE6DD8668801AF061727B194D2640646,SHA256=54225B7FDDACCF805031517589C30E5F33BE6F8CCF513E6C1928B2D8CEBB4AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=332AF4DDE88918F3FEEC3ED060935A13,SHA256=A0025805EDC6C1872E1DAD7529B9D5652795ED013C86385B48E7E38F30E2300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=914534BA8A40B6B03D6D9B771F2B19BD,SHA256=35A2915F1843458284C8FC7CA759EA2429663896ED02845849FA9A318F53EC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=AE7986A0220B25D6A8A8D964DFAB18A9,SHA256=204DECEAD5EF0D73D35420F74EF89BB5E7080007726E198A26D8553BA5B257D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=4E114A12FE1D8664A2957286D9C690B5,SHA256=6A1E487E1A25DA4010DCE4BC9DD610DEF85DA683FAC9D704DD2A50664E5A60BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=775AAB007F2E4FF49FC45DB938962B25,SHA256=D3DA5191342AAD67DAE5D80DF6ADE9D325A8A9D1131BADFC19152B6468A62E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.590{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=332AF4DDE88918F3FEEC3ED060935A13,SHA256=A0025805EDC6C1872E1DAD7529B9D5652795ED013C86385B48E7E38F30E2300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.574{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.553{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6FA03997D7F51036AE9052E9369A8FE,SHA256=0ABC2C75C1105FBAAE25BA08F0C88F0CFB816A089FD00C9A4837660E178B247F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.506{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=AEA41B2D76C79B6A133AF4C425CE0C2B,SHA256=56CE1EEFB867B18201893BF7669AA997F69C78D2EFBD902553D664F237439CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.506{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.506{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DFAE4C9D8900A794C9DFDE4404930786,SHA256=CCB7A34A1BF7172197D627F76E4C9E0328B777402A2B0A59F09A0A50A8A5051D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.777{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59208-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000297293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.760{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59209-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000297292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.759{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61927- 354300x8000000000000000297291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.758{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51327- 354300x8000000000000000297290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.739{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59203-false35.167.102.239ec2-35-167-102-239.us-west-2.compute.amazonaws.com443https 354300x8000000000000000297289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.723{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59202-false52.88.142.33ec2-52-88-142-33.us-west-2.compute.amazonaws.com443https 354300x8000000000000000297288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.639{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59205-false142.250.184.195fra24s11-in-f3.1e100.net80http 354300x8000000000000000297287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.639{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61515- 354300x8000000000000000297286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.633{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60030- 354300x8000000000000000297285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.611{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59204-false142.250.186.42fra24s04-in-f10.1e100.net443https 354300x8000000000000000297284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.610{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61548- 354300x8000000000000000297283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.610{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52349- 354300x8000000000000000297282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.595{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49673- 354300x8000000000000000297281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.594{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63129- 354300x8000000000000000297280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.589{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59854- 354300x8000000000000000297279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.573{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49541- 354300x8000000000000000297278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.573{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63531- 354300x8000000000000000297277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.571{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49524- 23542300x8000000000000000297276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.490{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAF147F18E669BE331B7BAA860656F2,SHA256=91CFCA77DEDCBDF815644343023A763829A1EC85FD0490718A00C037923CE9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.453{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.390{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.251{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59A1520979CFF826AC744FE51D93C1ED,SHA256=06A66E0421542EF1A8AEA84E7828184212F40E461F58A5ED06945482C162ACE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.537{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59201-false18.66.139.28-443https 354300x8000000000000000297271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.537{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63886- 354300x8000000000000000297270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.525{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50771- 354300x8000000000000000297269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.501{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59200-false2.16.216.73a2-16-216-73.deploy.static.akamaitechnologies.com80http 354300x8000000000000000297268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.501{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61056- 354300x8000000000000000297267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.457{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59199-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000297266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.430{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59198-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000297265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.427{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52988- 354300x8000000000000000297264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.409{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59197-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000297263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.395{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59171- 354300x8000000000000000297262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.394{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61928- 354300x8000000000000000297261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.384{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59196-false18.66.139.125-443https 354300x8000000000000000297260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.384{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63451- 354300x8000000000000000297259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.383{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63498- 354300x8000000000000000297258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.379{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60794- 354300x8000000000000000297257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.378{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58868- 354300x8000000000000000297256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.827{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-59195-false127.0.0.1-59194- 354300x8000000000000000297255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.827{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-59195-false127.0.0.1-59194- 23542300x8000000000000000297254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.173{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\search.json.mozlz4MD5=A52BFA33969CB66228B092D500B22119,SHA256=893ECCBDB36D3F5C88D87AEBCDFF8EC498225996ADB00EFF1C0F3A4E5EB49EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.075{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\pending_pings\23054506-1e01-4370-95a8-bb4d28704869MD5=6A400853C57E3EB42E2E40EBF34E0DA4,SHA256=4AFCE34C96FBBFC52B6D916E865FDF3379EE4B4074882947733CBB8D234E2133,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000297252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.545{5097E253-9226-6149-A12B-00000000FB01}4420www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:216.58.212.174;::ffff:142.250.74.206;::ffff:142.250.186.46;::ffff:142.250.186.174;::ffff:142.250.184.206;::ffff:142.250.184.238;::ffff:172.217.18.110;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.185.174;::ffff:142.250.185.206;::ffff:142.250.185.238;::ffff:142.250.181.238;::ffff:172.217.16.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.545{5097E253-9226-6149-A12B-00000000FB01}4420dyna.wikimedia.org091.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.545{5097E253-9226-6149-A12B-00000000FB01}4420star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.544{5097E253-9226-6149-A12B-00000000FB01}4420www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:91.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297248Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.544{5097E253-9226-6149-A12B-00000000FB01}4420www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297247Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.283{5097E253-9226-6149-A12B-00000000FB01}4420pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297246Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.269{5097E253-9226-6149-A12B-00000000FB01}4420pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com035.164.22.70;52.27.6.50;52.33.45.66;35.167.137.152;52.13.236.190;54.190.205.249;44.235.28.153;35.167.102.239;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297245Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.178{5097E253-9226-6149-A12B-00000000FB01}4420a1887.dscq.akamai.net02a02:26f0:1700:f::1737:a1a4;2a02:26f0:1700:f::1737:a194;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297244Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.175{5097E253-9226-6149-A12B-00000000FB01}4420a1887.dscq.akamai.net02.16.216.48;2.16.216.73;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297243Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.174{5097E253-9226-6149-A12B-00000000FB01}4420r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:2.16.216.73;::ffff:2.16.216.48;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297242Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.103{5097E253-9226-6149-A12B-00000000FB01}4420example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297241Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.102{5097E253-9226-6149-A12B-00000000FB01}4420example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297240Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.071{5097E253-9226-6149-A12B-00000000FB01}4420prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297239Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.069{5097E253-9226-6149-A12B-00000000FB01}4420prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297238Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.068{5097E253-9226-6149-A12B-00000000FB01}4420d2nxq2uap88usk.cloudfront.net02600:9000:225e:7600:a:da5e:7900:93a1;2600:9000:225e:b600:a:da5e:7900:93a1;2600:9000:225e:9200:a:da5e:7900:93a1;2600:9000:225e:5400:a:da5e:7900:93a1;2600:9000:225e:5c00:a:da5e:7900:93a1;2600:9000:225e:bc00:a:da5e:7900:93a1;2600:9000:225e:2e00:a:da5e:7900:93a1;2600:9000:225e:7c00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297237Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.068{5097E253-9226-6149-A12B-00000000FB01}4420detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297236Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.058{5097E253-9226-6149-A12B-00000000FB01}4420d2nxq2uap88usk.cloudfront.net018.66.139.67;18.66.139.97;18.66.139.17;18.66.139.125;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000259889Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:57.530{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FB47C6EFCAFCF4ABB44D87E6269183,SHA256=55D8A76A0F1AD145EA4543674DA740E3F9FC6CA989EB844E6AF106F599F14EB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259888Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:55.330{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50541-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259887Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:57.311{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAAE00FFE2C8F8782BF103853F65EECC,SHA256=B09F1C0936CC445F5A3C1AC13590F4F61B842CD11F3860A316F834773170F1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.589{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06191DCAB7B512DD22BF24C606C8A441,SHA256=D1E94CE147A3B37D3F12B65CDDD741695BA1FA380A16B926C477BB81B4F64734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.405{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05DCA7987B555B45BB77E3F6DEA8C58,SHA256=48CA6A20EAE35E7BBE0D0F42550EAE6CA3CE22534E5C4E2393F9384D9820DC07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.991{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59211-false35.167.102.239ec2-35-167-102-239.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000297381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.221{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.221{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEDC69BF64F3A88B0A38137AFE367DF,SHA256=66DC4975DB30244B0D5A754027691D2A8409E260BB3690D9B053B67C6AFA4A00,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000297379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.555{5097E253-9226-6149-A12B-00000000FB01}4420e15317.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.551{5097E253-9226-6149-A12B-00000000FB01}4420e15317.a.akamaiedge.net0104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.551{5097E253-9226-6149-A12B-00000000FB01}4420e11847.g.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.551{5097E253-9226-6149-A12B-00000000FB01}4420reddit.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.550{5097E253-9226-6149-A12B-00000000FB01}4420www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 www.amazon.de.edgekey.net;type: 5 e15317.a.akamaiedge.net;::ffff:104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.550{5097E253-9226-6149-A12B-00000000FB01}4420e11847.g.akamaiedge.net095.100.210.81;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.549{5097E253-9226-6149-A12B-00000000FB01}4420www.ebay.de0type: 5 slot11847.ebay.com.edgekey.net;type: 5 e11847.g.akamaiedge.net;::ffff:95.100.210.81;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.548{5097E253-9226-6149-A12B-00000000FB01}4420reddit.map.fastly.net0199.232.137.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.548{5097E253-9226-6149-A12B-00000000FB01}4420www.reddit.com0type: 5 reddit.map.fastly.net;::ffff:199.232.137.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.547{5097E253-9226-6149-A12B-00000000FB01}4420youtube-ui.l.google.com02a00:1450:4001:827::200e;2a00:1450:4001:828::200e;2a00:1450:4001:829::200e;2a00:1450:4001:802::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.547{5097E253-9226-6149-A12B-00000000FB01}4420dyna.wikimedia.org02620:0:862:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.546{5097E253-9226-6149-A12B-00000000FB01}4420star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.546{5097E253-9226-6149-A12B-00000000FB01}4420youtube-ui.l.google.com0142.250.74.206;142.250.186.46;142.250.186.174;142.250.184.206;142.250.184.238;172.217.18.110;216.58.212.142;142.250.185.78;142.250.185.110;142.250.185.142;142.250.185.174;142.250.185.206;142.250.185.238;142.250.181.238;172.217.16.142;216.58.212.174;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000259891Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:58.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141259F83C584849B1AFEDF0B1593C3A,SHA256=C5AF1EC67EEF9D1B812DBB7FFD0A0CD8094DD77A70A49D557956F9D5F0AD9AB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259890Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:55.936{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51213-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000297414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.537{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.524{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C97564A9E2B1AD4E4A37751CBB84A26,SHA256=C7722E322491E542C066E24DE40FF2AA211DEB909C6829965D332FDDE9AD1EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.469{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+fdc990|C:\Program Files\Mozilla Firefox\xul.dll+fcd08b|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f 10341000x8000000000000000297411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.468{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.335{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.335{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.335{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.335{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.335{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x8000000000000000297405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.335{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000297404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.335{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+27c138b|C:\Program Files\Mozilla Firefox\xul.dll+27b4476|C:\Program Files\Mozilla Firefox\xul.dll+bfe10a|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32 10341000x8000000000000000297403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.335{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x8000000000000000297402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.335{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 354300x8000000000000000297401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.410{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58868- 354300x8000000000000000297400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.410{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:100:0:98e0:83f8:86a1:ffff-58868-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000297399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.382{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64430- 354300x8000000000000000297398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.382{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49650- 354300x8000000000000000297397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.382{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52650- 354300x8000000000000000297396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.381{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50952- 354300x8000000000000000297395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.381{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62066- 10341000x8000000000000000297394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.304{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.304{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.304{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.304{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.304{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.304{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.304{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.272{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 22542200x8000000000000000297386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.565{5097E253-9226-6149-A12B-00000000FB01}4420cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.563{5097E253-9226-6149-A12B-00000000FB01}4420cs9.wac.phicdn.net093.184.220.29;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000259896Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:57.516{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52851-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259895Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:57.050{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52325-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259894Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:56.725{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50870-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259893Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:59.561{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B817B89C766A5D04D37AFBF987B97C,SHA256=D6661171EB4B1DB21FDF9B845BAC1F095501A2E280B2187614988B2EC4E18898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259892Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:59.108{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31E2709E148C280D5C01D38C55FA6F51,SHA256=C5B061841DD60580391A7ABB2BC141F8ECC314CEFD246E6216392BBB6B6CD1FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.746{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59214-false142.250.184.195fra24s11-in-f3.1e100.net80http 354300x8000000000000000297430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.726{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local49628-false142.250.185.228fra16s53-in-f4.1e100.net443https 354300x8000000000000000297429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.726{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59771- 354300x8000000000000000297428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.725{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60451- 354300x8000000000000000297427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.723{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49627- 23542300x8000000000000000297426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.473{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215C3043DAA3D611B8B90003F0A2080E,SHA256=085B3183E37CCAD1B134242C0298EC09ECDAEA19F0A21EFEDBA093EFF69E7670,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.645{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-56949-true2001:503:ba3e:0:0:0:2:30a.root-servers.net53domain 354300x8000000000000000297424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.607{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-58307-true2001:500:a8:0:0:0:0:e-53domain 23542300x8000000000000000297423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.049{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EEA08348851B1A8684C5A483FE3F50A,SHA256=6A3845BEDCBE690C42BA8809870C2A5A79522164000692849A94C93E8AA90596,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.041{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-922C-6149-A92B-00000000FB01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.041{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259898Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:00.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262AA7C0067C0B73C1E3F3AB57F36FCA,SHA256=D5B3E47280D083C507D045055896ABD6DCA52ACB7C480889E1D2FAAFDA6526C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.041{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.041{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.041{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.041{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-922C-6149-A92B-00000000FB01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.037{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-922C-6149-A92B-00000000FB01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000297415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.034{5097E253-922C-6149-A92B-00000000FB01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259897Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:00.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=772BADC760143A581F8346EBC386928F,SHA256=A2DBB81EBDE21B606F7A444A24217278CBC656A6DD9C48A0885510202994F99A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259901Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:59.047{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54258-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259900Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:58.664{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53914-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259899Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:01.639{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09520729F754B147F93D91B095FCE770,SHA256=1EC8A7D6D5B70234F2BF4050EF92E616C2353E069EAA1EB23C7453220C230F29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.986{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 23542300x8000000000000000297441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.981{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\formhistory.sqlite-journalMD5=E06F826B6D2062B5E55A339C55104197,SHA256=44380777746CD28A7B3F931EC6BC0A4749CDD8646A2B1CCC3BBEB88D6AF96920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.535{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17EFBAE54EE3754ED0D6B3E344963355,SHA256=553EBD096C7CE2C3C9C4FE906740212F36F8ABAE41CEE0C2151963773CFC558A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.483{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB83412360A1AA2CEC4B5C3DCE710513,SHA256=6A8C17C56EEFCE3749BD904BC861C2103BFD892BB6241175E6562A17776C4ED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.843{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59216-false142.250.184.195fra24s11-in-f3.1e100.net80http 354300x8000000000000000297437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:58.825{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59215-false142.250.185.228fra16s53-in-f4.1e100.net443https 23542300x8000000000000000297436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.186{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\doomed\2383MD5=7FB38C459609E10EC9965E4F1EE9F101,SHA256=CA9A4685DBDAED23D0129C6A9C232684FEF7D6391738DC8CEDEE9E0AD2EFCE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.185{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\doomed\4526MD5=18532ADC8E1AA5F61783AEE13A453F90,SHA256=AAF56B785C6220A9E22CDF08E12F4D1C33E0C4441F19126A00EB01D37F7D0880,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000297434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.401{5097E253-9226-6149-A12B-00000000FB01}4420www.google.com02a00:1450:4001:82f::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.400{5097E253-9226-6149-A12B-00000000FB01}4420www.google.com0142.250.185.228;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.399{5097E253-9226-6149-A12B-00000000FB01}4420www.google.com0::ffff:142.250.185.228;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000259904Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:00.101{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55493-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259903Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:02.655{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E08EBD1052FB209E1705AA258E81F4E,SHA256=D7046A653A7EE10B07E9375013043896FC79D511050E7E13BD07050CE1B02178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.784{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000297476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.753{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.747{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000297474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.747{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000297473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.729{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.729{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.704{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.704{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.704{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.680{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.673{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.672{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.672{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.671{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000297463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:00.759{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-58307-true2001:500:2:0:0:0:0:cc.root-servers.net53domain 23542300x8000000000000000297462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.498{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7D039BF7DE9123A759FC45E7E699A8,SHA256=CBB18169568CDCB980622C52EFCF93FF7EB05816B27D9E9E7284BA92FA4BC2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259902Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:01.998{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=751E7F2C60A3410C7064D41A9A685CCB,SHA256=188E1A219A99022C5EE53100BA9F6589AE5DB9431313C93D296406D490852BDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.752{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-49311-false127.0.0.1-53domain 354300x8000000000000000297460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.488{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59217-false10.0.1.12-8000- 354300x8000000000000000297459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.441{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49311- 354300x8000000000000000297458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.415{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62683- 354300x8000000000000000297457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:59.414{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49311- 10341000x8000000000000000297456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.195{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.177{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.177{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.177{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.167{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.166{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.165{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.162{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.141{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.135{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage.sqlite-journalMD5=032813D85B9882017232B2193FBDA84A,SHA256=85353FE0CC11D110224462928E90939FE02BC5838DDACEB5FC2F67FD761D60E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.109{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\protections.sqlite-journalMD5=A26B1D7369E03500132BB1F319E15A16,SHA256=9BD42A90BB28C28F78670FA33D2860ED28D1687E11ADC05D926073154CBD47E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.068{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e4901f|C:\Program Files\Mozilla Firefox\xul.dll+e3814d|C:\Program Files\Mozilla Firefox\xul.dll+403a1c3|C:\Program Files\Mozilla Firefox\xul.dll+229b601|C:\Program Files\Mozilla Firefox\xul.dll+9df490|C:\Program Files\Mozilla Firefox\xul.dll+9a4d81|C:\Program Files\Mozilla Firefox\xul.dll+19dccd|C:\Program Files\Mozilla Firefox\xul.dll+9e2597|C:\Program Files\Mozilla Firefox\xul.dll+9ad29d|C:\Program Files\Mozilla Firefox\xul.dll+9aff51|C:\Program Files\Mozilla Firefox\xul.dll+9aed7e|C:\Program Files\Mozilla Firefox\xul.dll+9ae0de|C:\Program Files\Mozilla Firefox\xul.dll+9b7f1b|C:\Program Files\Mozilla Firefox\xul.dll+900933|C:\Program Files\Mozilla Firefox\xul.dll+89f837|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f 10341000x8000000000000000297444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.065{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 10341000x8000000000000000297443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.016{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+fdc990|C:\Program Files\Mozilla Firefox\xul.dll+fcd08b|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd13be|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd13be|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4 354300x8000000000000000259909Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:01.659{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56982-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259908Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:00.644{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55876-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259907Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:03.668{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0838680F0DBD8DD5F145D3FEA6F403,SHA256=BD9A1766321B6DF19A3B4F2DDE7940A745A2BCB7037DE7A23F685905B938E21E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.983{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local58873-false142.250.185.227fra16s53-in-f3.1e100.net443https 354300x8000000000000000297543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.983{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61483- 354300x8000000000000000297542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.982{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local58871-false142.250.185.99fra16s49-in-f3.1e100.net443https 23542300x8000000000000000297541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.698{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8711F0AED5BD0CB63619F1E300274A39,SHA256=3C6943ACB4761F443B799888FC7C47BE39DF5DD26442555888B9F051E16F76BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259906Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:03.527{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44D9CFCD7A4168A8D93EE896134EFB78,SHA256=D631ABA01DC790E3E9A4018B1EA4FA13282770450A6D2E27C8D8F83493FEBCEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259905Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:03.199{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C7933B505A6B7790562FF66B66D18803,SHA256=ADBEEC18771514E9ACB7B5482604DEB4BE8D8DE379198FC9FEC748E82F16D305,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.504{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62729- 354300x8000000000000000297539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.504{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60386- 354300x8000000000000000297538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.488{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local52023-false142.250.185.67fra16s48-in-f3.1e100.net443https 354300x8000000000000000297537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.461{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52022- 354300x8000000000000000297536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.436{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52022- 354300x8000000000000000297535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.285{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62936- 354300x8000000000000000297534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.285{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62655- 10341000x8000000000000000297533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.204{5097E253-9226-6149-A12B-00000000FB01}44203160C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.192{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.191{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.191{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.190{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.189{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.187{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.174{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C13673D9533553CEA4AD2ADB2BF6CDB,SHA256=318EA0AC6B74742BC0F4447BD15CE5DB5EEEE6A9481E8864310BC12179E936FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.172{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F250A0CB0C0D67E614BC32C1EAEB652,SHA256=4748494FAD19E166F801F8E8A4B9CCC6DB3B7D2C5DC2E2E9FAB016974C25FEC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.156{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.155{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.141{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000297521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:05:03.141{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000297520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:05:03.141{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-3C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.129{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.127{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:05:03.127{5097E253-9227-6149-A42B-00000000FB01}4180\chrome.4420.8.206001945C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.127{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c272c|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000297515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:05:03.127{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.8.206001945C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000297514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:05:03.126{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.7.62068532C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.125{5097E253-9226-6149-A12B-00000000FB01}44205300C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:05:03.125{5097E253-9226-6149-A12B-00000000FB01}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.960{5097E253-9226-6149-A12B-00000000FB01}4420www-google-analytics.l.google.com02a00:1450:4001:828::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.960{5097E253-9226-6149-A12B-00000000FB01}4420gstaticadssl.l.google.com02a00:1450:4001:82b::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.959{5097E253-9226-6149-A12B-00000000FB01}4420www-google-analytics.l.google.com0142.250.185.78;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.959{5097E253-9226-6149-A12B-00000000FB01}4420gstaticadssl.l.google.com0142.250.185.67;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000297507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.284{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51725- 354300x8000000000000000297506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.283{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49152- 354300x8000000000000000297505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:01.282{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51643- 10341000x8000000000000000297504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.087{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.087{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x8000000000000000297502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.087{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.087{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.087{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.087{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.087{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.087{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.087{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.087{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.086{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.086{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.086{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.086{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.086{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.086{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.086{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.086{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.085{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.080{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.080{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.079{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.079{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.079{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.078{5097E253-9226-6149-A12B-00000000FB01}44204848C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000297479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.079{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.7.620685320\474410014" -childID 4 -isForBrowser -prefsHandle 4732 -prefMapHandle 4028 -prefsLen 9567 -prefMapSize 244831 -jsInit 1120 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 4708 1e7926b5338 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000297478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:05:03.068{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.7.62068532C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000259911Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:02.128{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57518-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259910Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:04.683{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D3792250636135E0BF34F744302E62,SHA256=2E2C6F9BDCF94D2AD18906087C9ABFBB00F157273E9DC65007B3787FC695E9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:04.709{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC07BB45C27AC1FDAE94DD518CE186F,SHA256=420B7C3A2F2E7477517F739BECE623A886EE0BA84A69DD49318DAC88250D9124,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.487{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62346- 354300x8000000000000000297560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.485{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local53389-false142.250.186.66fra24s05-in-f2.1e100.net443https 354300x8000000000000000297559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.477{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53388- 354300x8000000000000000297558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.452{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64208- 354300x8000000000000000297557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.451{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local63329-false142.250.186.78fra24s05-in-f14.1e100.net443https 354300x8000000000000000297556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.451{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51420- 354300x8000000000000000297555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.449{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63328- 354300x8000000000000000297554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.438{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59865- 354300x8000000000000000297553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.400{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59258- 354300x8000000000000000297552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.400{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52855- 23542300x8000000000000000297551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:04.225{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B193B8FFF9657318819DE4901DAB261C,SHA256=039E5070BB5A7C6B977059B9A578B9918620C42DF9B1F2D7BA2BEDBCD3DDA232,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000297550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.076{5097E253-9226-6149-A12B-00000000FB01}4420plus.l.google.com02a00:1450:4001:831::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.074{5097E253-9226-6149-A12B-00000000FB01}4420plus.l.google.com0172.217.23.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.073{5097E253-9226-6149-A12B-00000000FB01}4420apis.google.com0type: 5 plus.l.google.com;::ffff:172.217.23.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.659{5097E253-9226-6149-A12B-00000000FB01}4420id.google.com02404:6800:4007:804::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.657{5097E253-9226-6149-A12B-00000000FB01}4420id.google.com0142.250.185.227;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.657{5097E253-9226-6149-A12B-00000000FB01}4420id.google.com0::ffff:142.250.185.227;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000259916Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:03.608{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59082-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259915Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:03.205{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58586-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259914Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:02.738{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50871-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259913Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:05.699{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560536145963B22232A907358A7D227A,SHA256=DFCED8BA4EF831B01C2B6283115EF0E37BA7477BC06248020D26B029B23F3303,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.827{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 23542300x8000000000000000297576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.720{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC23DFA08E38D7432E7E9E493FFEF412,SHA256=50B8E91F71812265FD5E81A92DB08F25C3054485B26B3C1400C8CDD3A0F86F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259912Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:05.136{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0EC2E8AAA3FB525E0B6BD1D296AB7F9,SHA256=6C596904329BECDB386860EAC4FD1938FEB93B7BAFC2574AB6A49A8B6D8218FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.607{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9bf5|C:\Program Files\Mozilla Firefox\xul.dll+8e827e|C:\Program Files\Mozilla Firefox\xul.dll+8e84b0|C:\Program Files\Mozilla Firefox\xul.dll+3527a1a|C:\Program Files\Mozilla Firefox\xul.dll+35277d8|C:\Program Files\Mozilla Firefox\xul.dll+352a74e|C:\Program Files\Mozilla Firefox\xul.dll+dbae8b|C:\Program Files\Mozilla Firefox\xul.dll+1f0616d|C:\Program Files\Mozilla Firefox\xul.dll+1b3a58|C:\Program Files\Mozilla Firefox\xul.dll+9dd98c|C:\Program Files\Mozilla Firefox\xul.dll+9a4d81|C:\Program Files\Mozilla Firefox\xul.dll+19dccd|C:\Program Files\Mozilla Firefox\xul.dll+9e2597|C:\Program Files\Mozilla Firefox\xul.dll+9ad29d|C:\Program Files\Mozilla Firefox\xul.dll+9aff51 10341000x8000000000000000297574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.607{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9bf5|C:\Program Files\Mozilla Firefox\xul.dll+8e827e|C:\Program Files\Mozilla Firefox\xul.dll+8e84b0|C:\Program Files\Mozilla Firefox\xul.dll+3527a1a|C:\Program Files\Mozilla Firefox\xul.dll+35277d8|C:\Program Files\Mozilla Firefox\xul.dll+352a74e|C:\Program Files\Mozilla Firefox\xul.dll+dbae8b|C:\Program Files\Mozilla Firefox\xul.dll+1f0616d|C:\Program Files\Mozilla Firefox\xul.dll+1b3a58|C:\Program Files\Mozilla Firefox\xul.dll+9dd98c|C:\Program Files\Mozilla Firefox\xul.dll+9a4d81|C:\Program Files\Mozilla Firefox\xul.dll+19dccd|C:\Program Files\Mozilla Firefox\xul.dll+9e2597|C:\Program Files\Mozilla Firefox\xul.dll+9ad29d|C:\Program Files\Mozilla Firefox\xul.dll+9aff51 10341000x8000000000000000297573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.607{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9bf5|C:\Program Files\Mozilla Firefox\xul.dll+8e827e|C:\Program Files\Mozilla Firefox\xul.dll+8e84b0|C:\Program Files\Mozilla Firefox\xul.dll+3527a1a|C:\Program Files\Mozilla Firefox\xul.dll+35277d8|C:\Program Files\Mozilla Firefox\xul.dll+352a74e|C:\Program Files\Mozilla Firefox\xul.dll+dbae8b|C:\Program Files\Mozilla Firefox\xul.dll+1f0616d|C:\Program Files\Mozilla Firefox\xul.dll+1b3a58|C:\Program Files\Mozilla Firefox\xul.dll+9dd98c|C:\Program Files\Mozilla Firefox\xul.dll+9a4d81|C:\Program Files\Mozilla Firefox\xul.dll+19dccd|C:\Program Files\Mozilla Firefox\xul.dll+9e2597|C:\Program Files\Mozilla Firefox\xul.dll+9ad29d|C:\Program Files\Mozilla Firefox\xul.dll+9aff51 10341000x8000000000000000297572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.607{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9bf5|C:\Program Files\Mozilla Firefox\xul.dll+8e827e|C:\Program Files\Mozilla Firefox\xul.dll+8e84b0|C:\Program Files\Mozilla Firefox\xul.dll+3527a1a|C:\Program Files\Mozilla Firefox\xul.dll+35277d8|C:\Program Files\Mozilla Firefox\xul.dll+352a74e|C:\Program Files\Mozilla Firefox\xul.dll+dbae8b|C:\Program Files\Mozilla Firefox\xul.dll+1f0616d|C:\Program Files\Mozilla Firefox\xul.dll+1b3a58|C:\Program Files\Mozilla Firefox\xul.dll+9dd98c|C:\Program Files\Mozilla Firefox\xul.dll+9a4d81|C:\Program Files\Mozilla Firefox\xul.dll+19dccd|C:\Program Files\Mozilla Firefox\xul.dll+9e2597|C:\Program Files\Mozilla Firefox\xul.dll+9ad29d|C:\Program Files\Mozilla Firefox\xul.dll+9aff51 354300x8000000000000000297571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.601{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64585- 354300x8000000000000000297570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.597{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52854- 354300x8000000000000000297569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.560{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59918- 354300x8000000000000000297568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.560{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63660- 354300x8000000000000000297567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.560{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local58874-false142.250.185.66fra16s48-in-f2.1e100.net443https 354300x8000000000000000297566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.560{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52257- 354300x8000000000000000297565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.560{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64125- 354300x8000000000000000297564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:02.557{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53744- 22542200x8000000000000000297563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:03.233{5097E253-9226-6149-A12B-00000000FB01}4420adservice.google.de0type: 5 pagead46.l.doubleclick.net;::ffff:172.217.18.98;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000259919Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:04.689{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1162-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259918Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:06.746{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BAEEC1D936D1406B1C340F12FBA031,SHA256=79797C0ED19005BF5CCBDC9112FF9C54AD52230DE5DE89F6FD91FD5955651E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:06.967{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\doomed\2548MD5=5AA01175EE5C41C20983D54043C7E519,SHA256=C521F6034D998799406552F49F594B40B85AD35DDC9FD2F0746851C7D848F06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:06.724{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97ECF59F73D4CD87084AC97F2997C232,SHA256=B7FC6CBC341E32EDC99F83FEC172B67B59A16856F238FA79BCADD8AA4FBEB998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259917Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:06.621{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39849C21C75BB112F779DBD0D9518DC9,SHA256=2D5798D0675784AD39B66DE908900A40A12A26EFE9EA11105B9EEE3EFF585C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:06.050{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=809A623A83A81204383684FC603D70BC,SHA256=C4F92383E162DBA35F49583CEE2BAFE5316DAFE0776E0D5A3EAE4427FFDB67E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:06.049{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1FB419142DB8FED6D65D7937784A1E4B,SHA256=ED026695E8EDA18736168485352BCB2B8FC2E5C01578D40001B46AA9378A5EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259920Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:07.777{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F622D1E86AED953A30DE7A42222025,SHA256=49BF3F68318A3DCBA019683984C047F67D6700DB2AEBF7E8A47C328E789FF5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:07.956{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=216CDCB4FF83069639973854E4BB2671,SHA256=55816884CA7E082BCD2339AEB48BD5372C216D8EA415329D393203CD90957730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:07.955{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:07.953{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:07.952{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:07.737{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47870D6A7C543A356C15B4B0534D778F,SHA256=FCB9F9440589D2D109FA16A97717111502FC78A1B09ABFD48C6000F6D322CA42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.236{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59220-false216.58.212.174ams15s22-in-f174.1e100.net443https 354300x8000000000000000297596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.236{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50059- 354300x8000000000000000297595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.236{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62822- 354300x8000000000000000297594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.005{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59219-false142.250.185.227fra16s53-in-f3.1e100.net443https 354300x8000000000000000297593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.004{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52244- 354300x8000000000000000297592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.002{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63211- 354300x8000000000000000297591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:04.924{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local63917-false142.250.186.142fra24s07-in-f14.1e100.net443https 354300x8000000000000000297590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:04.864{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59218-false142.250.186.142fra24s07-in-f14.1e100.net443https 354300x8000000000000000297589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:04.864{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63916- 354300x8000000000000000297588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:04.863{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52770- 22542200x8000000000000000297587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.912{5097E253-9226-6149-A12B-00000000FB01}4420play.google.com02a00:1450:4001:813::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.910{5097E253-9226-6149-A12B-00000000FB01}4420play.google.com0216.58.212.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.909{5097E253-9226-6149-A12B-00000000FB01}4420play.google.com0::ffff:216.58.212.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.539{5097E253-9226-6149-A12B-00000000FB01}4420www3.l.google.com02a00:1450:4001:802::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.538{5097E253-9226-6149-A12B-00000000FB01}4420www3.l.google.com0142.250.186.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.537{5097E253-9226-6149-A12B-00000000FB01}4420ogs.google.com0type: 5 www3.l.google.com;::ffff:142.250.186.142;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000259925Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:08.793{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CC3FBDBF2E3904B3080753CB12BDA8,SHA256=6AB5EB16104FEB169AC2B8610999F009E69AD1A2F37B653EC4E45CAE2E3801F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:08.975{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E2EFD2612A4C41AFEC2B4DEEF81D0E1,SHA256=53212D47903422A6CEE95730E0434B62FF02EB5AF0DA0457F534E883A0C8116E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:08.964{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=873DDE9D3A047D331D1B16F1B732B5E6,SHA256=B5C82BA58F09F34806A87A820F952801F9F1B9677B7710E8C7BE3C1F7935EC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:08.892{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=CA482D7BBCBF5DE0DD29B899D494D8AD,SHA256=1BCE432970CD551853878D6B8F0BD4248845CA57B7BEF78E15C45D65CFC2BF87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:08.890{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:08.747{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EB2B1419B5F299E9F0BE8A582FF50A,SHA256=5A3584A12E9D83A368D86C7D8182C18DAC0FB413C5CF4993DA0CB7720FE1B055,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259924Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:06.607{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3153-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259923Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:06.297{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-2785-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259922Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:05.206{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1578-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259921Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:08.261{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65A4B5D9A80BADC61E5FD69543A5CA40,SHA256=F18C3BEEBCB4092A3D0509236F6646C42775ECDF15961A86F5BB0137010EBD31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.381{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59221-false10.0.1.12-8000- 354300x8000000000000000297607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:05.292{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local50060-false216.58.212.174ams15s22-in-f174.1e100.net443https 23542300x8000000000000000297606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:08.023{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\webappsstore.sqlite-walMD5=B25E2D5C5B2B297A75E2B00FDBA1E8F9,SHA256=EEDFF34C2A7B5A1EBD88EDF6C1B31024ADF1E4D81CD0C179A41522371F4C342A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:08.022{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\webappsstore.sqlite-shmMD5=FD472162257B86AEA2DAE79693AC501A,SHA256=C42FCAF213513ED9FF8BA5EC18F31E7B8CC5F4A5B046E06B4D7203BC3A8D0F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:08.017{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=138BC4A69AC1BCCFCC1ECFC9129A6B36,SHA256=B6E49B2D4D150D4F6896507C9841FA4783C0150EB9269776C4F5EA89A4AC34E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:08.003{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\default\https+++www.google.com\ls\usageMD5=3C498C17F14BDCB14A2F33CCE34187BA,SHA256=08203CFCA680D1066933EEA55578E3CD48868C3780896FBF070C71D89B48456B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259929Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:09.808{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2505F48984080746F3DFAFFE79EC7DB1,SHA256=4C375F407AE6A3B9B5250B6678C658DE381888B271E2E3336B4FBDFAB1A5FD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.757{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD9A7A48DF056A0F68E15FB974A93E3,SHA256=CD16488DB92B5645797D7EA0C977F27E76175ADC9DE06882C06E074E8B8854C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259928Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:08.048{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4557-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259927Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:07.814{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4348-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259926Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:09.621{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF6B36481C84761582CA30150D7DEB7C,SHA256=9AA235E31E48529B260510079C1835BF79316EFD3B862D41D90B46E51F55D72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.493{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D6BD0C59A4034B90865B226735CC26,SHA256=A1A932108BAD9C487826F755D6AA9149E656922336C27F125D0B8D60EE9BFDB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.428{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9235-6149-AB2B-00000000FB01}6248C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.428{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9235-6149-AB2B-00000000FB01}6248C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.425{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-9235-6149-AB2B-00000000FB01}6248C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.416{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9235-6149-AB2B-00000000FB01}6248C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.414{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9235-6149-AB2B-00000000FB01}6248C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.413{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-9235-6149-AB2B-00000000FB01}6248C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.394{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.394{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.392{5097E253-8792-6149-AA29-00000000FB01}48165412C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.392{5097E253-8792-6149-AA29-00000000FB01}48165412C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.375{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.375{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.373{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000297649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.373{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000297648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.373{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.372{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.367{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.365{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x8000000000000000297644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.364{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.364{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.362{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.362{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.362{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.362{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.362{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.361{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.361{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.361{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.361{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.361{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.360{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.360{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.360{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.360{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.360{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.360{5097E253-483C-6148-0D00-00000000FB01}904932C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.359{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.359{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.359{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.359{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.358{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.358{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.358{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.357{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.357{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.357{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.357{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.354{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:09.354{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:10.765{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4DBEAA7AA8D046EA85ECFFD99A5814,SHA256=8115D8DCA643DFE330CB9CA4D9F6820C98BF29D5B5BF483A7D5E16B5AFEE304E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259931Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:10.980{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F704D194D5391B4464E0D763EDE4E13F,SHA256=B002452AECF9F36897F909CCD55DC031A2205BAEE3021D0337E7AD3AAF6446E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259930Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:10.808{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E148961B3ABEBDC016844F793D73CBB1,SHA256=D3EB06D71BE7E2AE6EDC6BA361B67616E3B1D4A17EDCA178621100AE0F2C7AE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:07.964{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-56814-true2001:500:9f:0:0:0:0:42l.root-servers.net53domain 23542300x8000000000000000297667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:11.770{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E59B565D6C57ACC8A7EE2BDF22BD36,SHA256=9B58779DE59E37D404750DE445F866ECA6E8469A73342433C9C2FDF52B606782,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259936Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:09.537{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6159-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259935Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:09.314{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com55865-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259934Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:09.206{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-5802-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259933Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:08.644{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259932Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:11.824{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B217B1A2CB53082C876EF11DA97ACC5,SHA256=62BC1657972B3005B302BB64310980712D3A9233E3F4227AEB3092B146EF49B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259939Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:10.848{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7268-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259938Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:12.839{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE2355CEF9478F601290141938474F3,SHA256=2664207B785C68F7FDB5F02C1C0AA4B9319DECEE2DD532FAB60F0A1A3B8F9871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:12.997{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403559B5AB03782CC42BDC8872BC14BC,SHA256=953F146A3F1110985D0360C1A94F8528AAB358FF6F63B3CFCB617E8700E9AB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:10.564{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59222-false10.0.1.12-8000- 23542300x8000000000000000259937Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:12.714{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D755333B48C86D4295CAF1FC25EAD392,SHA256=86EA4A34947C3D863C002CF63E07B68A23C49B2E324250F76CEB844B22F15D4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259941Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:11.180{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7637-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259940Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:13.902{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F59598F3467CA578812D8ED4655ECD,SHA256=5D4E614B4723B2AE7927D9889EA2F3D26C6EA38C4E76FDC1C6BF12097BE00419,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.979{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000297684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.979{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000297683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.977{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.977{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.975{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000297680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.975{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000297679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.965{5097E253-8792-6149-AA29-00000000FB01}48165412C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.965{5097E253-8792-6149-AA29-00000000FB01}48165412C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.963{5097E253-8792-6149-AA29-00000000FB01}48165412C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.963{5097E253-8792-6149-AA29-00000000FB01}48165412C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.962{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.962{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.171{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000297672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.171{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000297671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.168{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:13.168{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259946Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:12.951{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu60153-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259945Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:12.572{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9175-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259944Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:12.370{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-8922-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259943Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:14.933{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE7BCC861BF8E3981B8B1DA07CF8205,SHA256=4F778F833E6A1F157F589E0E2F43A89141BF5093CD501354C519F85822EABF75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:14.337{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:14.336{5097E253-8792-6149-AA29-00000000FB01}48165412C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:14.336{5097E253-8792-6149-AA29-00000000FB01}48165412C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:14.006{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B5166BFCFC19956A98789ADC84EA80,SHA256=2BC2B0CEEC0317125D4ABCF15EFE1ED085D8B1F8BA120AAED15CBE474AFA9ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259942Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:14.277{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A6CB027F2EB36551BEFF0C109481390,SHA256=2B807D3DA4F00A55A9B0882351C9A6BA238C9C660831ADB613F3624CEDFCD6E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259948Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:15.980{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3930221FDC329B3BBD1ACE7E10CA5E,SHA256=D457EE7E595757163B52561FDDB02F6CD5E91EF492CDE61C46A7FCDDFB000134,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.959{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.959{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000259947Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:15.730{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAF94933BF436B781F7D48BCE31CCE76,SHA256=72EE56E94CD5B5337C3567A7CC1D2E03717089ED907D084E1D3AF0AC7148D35A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.959{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.959{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.959{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.959{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.958{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.958{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.797{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.797{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.797{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.797{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.797{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.797{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.797{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.797{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.765{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.765{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.765{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.765{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.765{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.765{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.765{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.765{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000297727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.614{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD2D23CBA88AE90EE90BEF013F68BFE,SHA256=39BA6D777ACE4F6540CE352AC6B9CDE537C033465B727E3A67DF67DAB0062A87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.562{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.562{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.562{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.562{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.562{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.562{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.561{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.561{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.360{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.360{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.360{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.360{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.360{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.360{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.359{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.359{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000297710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.239{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=908E99C0AD017CE370DD023681C5237D,SHA256=97E9F113B2DB1985F811E1A9EC2F23805AC039262AFC94D85F615FFFB731368E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.201{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-923B-6149-AC2B-00000000FB01}5872C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.200{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-923B-6149-AC2B-00000000FB01}5872C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.198{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-923B-6149-AC2B-00000000FB01}5872C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.191{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-923B-6149-AC2B-00000000FB01}5872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.188{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-923B-6149-AC2B-00000000FB01}5872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.188{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-923B-6149-AC2B-00000000FB01}5872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.181{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.181{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.180{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.180{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.180{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.180{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.179{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.179{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000297695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.173{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=C927357CC3C0B5A467E7D5BA5EFB1CA2,SHA256=4FD26642B236C1045B68B9542200CE4150905BDF43B990A1B3F43427FB769CCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.172{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.171{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000297692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.056{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=315D3FB3A99CC6B8CA0CFA2322AFE37A,SHA256=C547FE2C80C4D00FF0F60F31AD73CA42EC28AEEA1625C4F1EF686EE605160787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.054{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B58EEDF540D91C3C808A8B108583EEFF,SHA256=ADC0D4768BFFE685DEE871AE19CCC5DEAF0D4DCB808FC7E2E3599BCE44082D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:15.012{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D7B562F0734E1A5170A2019EF6EF8F,SHA256=D89042BD43E8624948C4B027C503F40ED4BA49FB47C0FAA8BA7FB6F933D2D8BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259950Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:13.890{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-10487-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259949Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:13.675{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50873-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDE2FBAB1B3D214CDAE1ACD02DF47D7,SHA256=FFD37F3815464210633660ED0551A3C4C8BD8D9E59A6ACBDE435B7E1AAEBF30C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.132{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB5BC93A88644C2ABC98EC1502904D1,SHA256=B19F7D92816D7E2BF4630584F559F0DD0506A3EFA69B54B816A742ECFA7868B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.059{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.059{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.059{5097E253-8791-6149-A029-00000000FB01}41847316C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.059{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.059{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.059{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000297753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.059{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000297752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.059{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000259954Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:17.121{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85905AE970584BCC85272E32EA7DE56C,SHA256=5E54F540B1B9CA666D867DB46D2FF53FF615286ACECE2F52F49202256FBDEC64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259953Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:15.312{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-11945-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259952Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:14.206{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-10860-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259951Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:17.011{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144B469CB83E368A66D036564AFF811B,SHA256=58FF2F9A2467804F34B1EFD8100959AEA17315D70683621626D99641972DC67A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.985{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.982{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.907{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.907{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.903{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.903{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.737{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-923D-6149-AF2B-00000000FB01}5192C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000297816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.737{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-923D-6149-AF2B-00000000FB01}5192C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000297815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.733{5097E253-8792-6149-AA29-00000000FB01}48161016C:\Windows\Explorer.EXE{5097E253-923D-6149-AF2B-00000000FB01}5192C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000297814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.733{5097E253-8792-6149-AA29-00000000FB01}48161016C:\Windows\Explorer.EXE{5097E253-923D-6149-AF2B-00000000FB01}5192C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000297813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.723{5097E253-8792-6149-AA29-00000000FB01}48165412C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.723{5097E253-8792-6149-AA29-00000000FB01}48165412C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.715{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-923D-6149-AF2B-00000000FB01}5192C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.715{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-923D-6149-AF2B-00000000FB01}5192C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.709{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AF2B-00000000FB01}5192C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.703{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-923D-6149-AF2B-00000000FB01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.700{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-923D-6149-AF2B-00000000FB01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.700{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AF2B-00000000FB01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.689{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.689{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.685{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.685{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.682{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000297800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.682{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000297799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.680{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.680{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.675{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.675{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.675{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.673{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000297793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.672{5097E253-8792-6149-A129-00000000FB01}43166336C:\Windows\system32\sihost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.669{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.669{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.668{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.668{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.668{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.668{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+47a1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000297786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.661{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe10.0.14393.82 (rs1_release.160805-1735)SettingsMicrosoft® Windows® Operating SystemMicrosoft CorporationSystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanelC:\Windows\ImmersiveControlPanel\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=A91F621A8A0DE91FAE53D3051303809B,SHA256=E768FF1F2F31178FE5930F261ACD4B19464ACC019FB0AA697D0B48686E59050C,IMPHASH=1812A9B9265AD93B24FA9FCBFAFBC4A6{5097E253-483C-6148-0C00-00000000FB01}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000297785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.663{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.662{5097E253-8792-6149-AA29-00000000FB01}48166924C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.662{5097E253-8792-6149-AA29-00000000FB01}48166924C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.661{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.661{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.660{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.653{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.652{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.635{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.635{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.633{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.632{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.625{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.625{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.622{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.622{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.548{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.548{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.548{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.547{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000297765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.542{5097E253-923D-6149-AD2B-00000000FB01}4748C:\Windows\System32\ApplicationFrameHost.exe10.0.14393.4169 (rs1_release.210107-1130)Application Frame HostMicrosoft® Windows® Operating SystemMicrosoft CorporationApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=6F27A494DEAC85725B87BFBC0656A382,SHA256=B93BBD0B6FC7678FD815CC1DAA538F3923C144776CB7C419BC44AF40963E9E89,IMPHASH=3F27A5C187DCE51FC872862DA48D5BCF{5097E253-483C-6148-0C00-00000000FB01}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000297764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.521{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.520{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:17.070{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0E349B60D83065FAA999845E3067C4,SHA256=0FF767C49B244384B4AEDA65899F7FB98D56EF9B58B11FEB8DC334951BED2CF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:16.525{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59223-false10.0.1.12-8000- 10341000x8000000000000000297864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.327{5097E253-923D-6149-AE2B-00000000FB01}76368064C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000297863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.327{5097E253-923D-6149-AE2B-00000000FB01}76368064C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000297862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.327{5097E253-923D-6149-AE2B-00000000FB01}76368064C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f 10341000x8000000000000000297861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.327{5097E253-923D-6149-AE2B-00000000FB01}76368064C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376 10341000x8000000000000000297860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.327{5097E253-923D-6149-AE2B-00000000FB01}76368064C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+139d2e|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376 10341000x8000000000000000297859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.327{5097E253-923D-6149-AE2B-00000000FB01}76368064C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+139d1c|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f 10341000x8000000000000000297858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.327{5097E253-923D-6149-AE2B-00000000FB01}76368064C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+139d1c|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376 23542300x8000000000000000297857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.326{5097E253-923D-6149-AE2B-00000000FB01}7636ATTACKRANGE\AdministratorC:\Windows\ImmersiveControlPanel\SystemSettings.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms~RF50924df.TMPMD5=4FCB2A3EE025E4A10D21E1B154873FE2,SHA256=90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.318{5097E253-8792-6149-AA29-00000000FB01}48166508C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+f60f|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.318{5097E253-8792-6149-AA29-00000000FB01}48166508C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+f4cc|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.318{5097E253-8792-6149-AA29-00000000FB01}48166508C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+f60f|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.317{5097E253-8792-6149-AA29-00000000FB01}48166508C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+f4cc|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.316{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+12932|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+18c67|c:\windows\system32\audiosrv.dll+4956|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.310{5097E253-923D-6149-AD2B-00000000FB01}47487004C:\Windows\system32\ApplicationFrameHost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1bb3c|C:\Windows\System32\ApplicationFrame.dll+12a22|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.310{5097E253-923D-6149-AD2B-00000000FB01}47487004C:\Windows\system32\ApplicationFrameHost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1c874|C:\Windows\System32\ApplicationFrame.dll+100f4|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.309{5097E253-923D-6149-AD2B-00000000FB01}47487004C:\Windows\system32\ApplicationFrameHost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1a578|C:\Windows\System32\ApplicationFrame.dll+100e3|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.309{5097E253-923D-6149-AD2B-00000000FB01}47487004C:\Windows\system32\ApplicationFrameHost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1c76e|C:\Windows\System32\ApplicationFrame.dll+100d2|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.300{5097E253-923D-6149-AD2B-00000000FB01}47487004C:\Windows\system32\ApplicationFrameHost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1bb3c|C:\Windows\System32\ApplicationFrame.dll+100c1|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.300{5097E253-923D-6149-AD2B-00000000FB01}47487004C:\Windows\system32\ApplicationFrameHost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1ca6f|C:\Windows\System32\ApplicationFrame.dll+100ae|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.298{5097E253-923D-6149-AD2B-00000000FB01}47487004C:\Windows\system32\ApplicationFrameHost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1ad31|C:\Windows\System32\ApplicationFrame.dll+10096|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.293{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.246{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.204{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.204{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.204{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.203{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.202{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.199{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+4a4e|C:\Windows\system32\activationmanager.dll+2109|C:\Windows\system32\activationmanager.dll+2c31|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000297836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.199{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+4a4e|C:\Windows\system32\activationmanager.dll+2109|C:\Windows\system32\activationmanager.dll+2c31|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x8000000000000000297835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.197{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED78797549706613ABB40E83DE17548D,SHA256=AF37DDC59A7785EB6AF715953DF7470AE1105843EE84063C4D47EA928B747E5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.191{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.181{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.179{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.178{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.178{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E512C02A79B49023E7230274A538774,SHA256=7C4CEFD7D6D49CEE75DE9E37712F632960BEEA966E061059E9C9F18AF3301545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259956Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:18.902{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31DE777E3EC5718FFB63A4CBCB055ACC,SHA256=140C2A4FB58B5496FDB1F5402C265BCB616F4D8BAF10FBBF93690723CFA8F346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259955Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:18.027{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940E67C4B3121D59179E3B6DE1BDD350,SHA256=BA997A8BA9DE539B1C550FDA7833CAC732F9573CEFE1C0AFC067892B501788BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.022{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.022{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.006{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.005{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000297825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.002{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:18.001{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.980{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.980{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.957{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-923F-6149-B12B-00000000FB01}7688C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.957{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-923F-6149-B12B-00000000FB01}7688C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.954{5097E253-483B-6148-0A00-00000000FB01}6241700C:\Windows\system32\services.exe{5097E253-923F-6149-B02B-00000000FB01}3032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.953{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923F-6149-B02B-00000000FB01}3032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.940{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923F-6149-B12B-00000000FB01}7688C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.940{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923F-6149-B12B-00000000FB01}7688C:\Windows\system32\DllHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.904{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-923F-6149-B12B-00000000FB01}7688C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.902{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-923F-6149-B12B-00000000FB01}7688C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.902{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923F-6149-B12B-00000000FB01}7688C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.872{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.872{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.856{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-923F-6149-B02B-00000000FB01}3032C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.856{5097E253-483B-6148-0A00-00000000FB01}624684C:\Windows\system32\services.exe{5097E253-923F-6149-B02B-00000000FB01}3032C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.849{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.849{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.849{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-483B-6148-0A00-00000000FB01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.732{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.731{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.729{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.729{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.705{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.705{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.700{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.700{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.675{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.675{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.673{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.673{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.671{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.671{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.647{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.647{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.489{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.489{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.489{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.488{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.488{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.488{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000297866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:19.216{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD48A4D41E4A3C46B9B937CDBF88196,SHA256=2CEE4747229FC4965B0377812B220ACE3C62A14FD4C372A537E670345BFBC431,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259960Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:17.304{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-13888-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259959Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:16.732{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-13551-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259958Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:15.683{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12352-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259957Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:19.027{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DE32103B961B3FE3CDEFE3718EBDEF,SHA256=82FDE1C2979037E8854EC2830950407A6B0806E861F83F761C68D2627159870E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259976Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9240-6149-3127-00000000FC01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259975Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259974Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259973Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259972Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259971Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259970Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259969Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259968Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259967Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259966Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9240-6149-3127-00000000FC01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259965Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.855{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9240-6149-3127-00000000FC01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259964Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.856{C189DCE5-9240-6149-3127-00000000FC01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259963Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.355{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC1A4E38A3AC5B17EFDBF76A4B6F21B7,SHA256=35E5C04F67BF6916669034B36AEEFBC7851D9DEB16FD29D79EF46936E41E435D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259962Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:18.460{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15155-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259961Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.058{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45C290E9290A84C63648D66A39BDF65,SHA256=8D9D550F3CD242FEEB0A0210BECBDE3DF5D0CEFA5D1FE04ED1E926513F54D436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.858{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EF635F035E243446AC3246A7BD0DB1CC,SHA256=01FFBCD54375E6D6B028269DBD9C184555E4587D420DFC7962831123A0DE2BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.857{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=809A623A83A81204383684FC603D70BC,SHA256=C4F92383E162DBA35F49583CEE2BAFE5316DAFE0776E0D5A3EAE4427FFDB67E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.245{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CC272FF76F63CCEC2C45325F30A6B9,SHA256=233C9EFC36A5946926C80AF3860E2CFD22F87AE4F11461222CC368331C6BCAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.235{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD77641EA2EEBF579E2BCAD2709AB25,SHA256=6A2C99259D13B77F8ADBABF45E51546E7E1BD538A3182AE890F8C425E4947B6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.085{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.084{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:05:20.049{5097E253-923D-6149-AE2B-00000000FB01}7636\TDLN-7636-41C:\Windows\ImmersiveControlPanel\SystemSettings.exe 17141700x8000000000000000297919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:05:20.049{5097E253-4849-6148-2600-00000000FB01}2872\TDLN-7636-41C:\Windows\system32\svchost.exe 10341000x8000000000000000297918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.049{5097E253-4849-6148-2600-00000000FB01}28724600C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000297917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.049{5097E253-4849-6148-2600-00000000FB01}28724600C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000297916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.048{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.048{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.043{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.043{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.042{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.041{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.025{5097E253-923F-6149-B02B-00000000FB01}30322200C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+7b27|c:\windows\system32\appxdeploymentserver.dll+2db00|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:20.007{5097E253-923F-6149-B02B-00000000FB01}30322200C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260006Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9241-6149-3327-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260005Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260004Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260003Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260002Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:21.241{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDB6A1662DF1FDA2CC30318773927AC,SHA256=17583B88EEDE4708B43C7316BA0B17E48C484E85C74DF85D2D6F67E36BA475BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260001Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260000Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259999Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259998Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259997Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259996Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9241-6149-3327-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259995Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.902{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9241-6149-3327-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259994Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.903{C189DCE5-9241-6149-3327-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259993Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.871{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E70594D90765E83172DBE7739B6A47E,SHA256=EDC93634F6C4D4AA6DB4783A53FCADDC6E93A2E73ED53EC2D64C975ED27F29CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259992Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9241-6149-3227-00000000FC01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259991Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259990Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259989Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259988Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259987Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259986Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259985Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259984Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259983Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259982Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9241-6149-3227-00000000FC01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259981Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9241-6149-3227-00000000FC01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259980Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.371{C189DCE5-9241-6149-3227-00000000FC01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259979Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:18.886{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15427-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000259978Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.089{C189DCE5-9240-6149-3127-00000000FC01}29523408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259977Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.074{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB7CFF0453487DF6E5D2630C1159B3F,SHA256=001BE00DF0399C93BE543DFE2F021A2C558AC53E087ADF464B9913CBF9B0EF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260024Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.933{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=690C04C736722C72E0AF66B4904E7AD5,SHA256=19D64E5E1F8DF5E7EF5B2A771014FC6BE01BC5B39FB2EEF09BEC6FB3A1F840A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260023Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.824{C189DCE5-9242-6149-3427-00000000FC01}16443024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260022Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9242-6149-3427-00000000FC01}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260021Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260020Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260019Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260018Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260017Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260016Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260015Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260014Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260013Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260012Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9242-6149-3427-00000000FC01}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260011Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9242-6149-3427-00000000FC01}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260010Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.574{C189DCE5-9242-6149-3427-00000000FC01}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000260009Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:19.906{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-16693-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260008Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:19.566{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50874-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000260007Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.261{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C88FA208F8500147C7F41B48D3B4DB,SHA256=396C90132CD41A9FB3203B09FEDD326A2CC11E739719ADA440C6A10D61945543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:22.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:22.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:22.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:22.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923F-6149-B12B-00000000FB01}7688C:\Windows\system32\DllHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:22.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000297928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:22.248{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C0C6071F8868B2B686DD771EEA9202,SHA256=0B577A4F79EDA076820BA74E9C4ADD0985A57750027E9AA04EB20E0F0CE493A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260027Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:23.953{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=580CC78FC25960FAAD694A41CC0E4875,SHA256=27EB377F4DBE12915D364BC17DC4F651329B43EEFDDE47084A6E651C444640F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260026Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:23.438{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C681B2732B3293ED766FC7A7580711,SHA256=CA3C89E755F92896AFF5FBFB8EEC56CB918E0E65D0800B34976145C34AF3561A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.255{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCAF156DC12579D6D5D746791B0AB61,SHA256=DCADAFE4FC8A29D60624FF6A4AE5B44EDCEFAE5F9571572B3732DD4D16B89899,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260025Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:20.399{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17152-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000297943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.102{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.102{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.102{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923F-6149-B12B-00000000FB01}7688C:\Windows\system32\DllHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.102{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.101{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.101{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.101{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.101{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923F-6149-B12B-00000000FB01}7688C:\Windows\system32\DllHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.101{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000297934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:23.100{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260044Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.797{C189DCE5-9244-6149-3527-00000000FC01}3100892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260043Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9244-6149-3527-00000000FC01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260042Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260041Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260040Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260039Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260038Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260037Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260036Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260035Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260034Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260033Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9244-6149-3527-00000000FC01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260032Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9244-6149-3527-00000000FC01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260031Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.610{C189DCE5-9244-6149-3527-00000000FC01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260030Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.453{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DED8E32C82861278709E850545A7B3,SHA256=80E695E99B45FAF6332D545B58D8934817BC0A17642EBD771BB6EEA578848B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:24.257{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C662CA8BD641DB13DC560ACE7D08D5F0,SHA256=2601BE6CA8620D875560A2C055BF93E21699E92AA7E4C7289BE530CBD8A900A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260029Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:22.124{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18840-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260028Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:21.755{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18466-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260061Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.781{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E5D12D351E27B3D9DE6EDFF90514A1,SHA256=946E50B8C038C639FA860AC45DB4B15F900E29B5F6410D79EC2FAE51F4B6EC7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260060Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.531{C189DCE5-9245-6149-3627-00000000FC01}32842928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000297947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:22.451{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59224-false10.0.1.12-8000- 23542300x8000000000000000297946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:25.264{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AE20C5F5E0B1A69CCCDB5F489F0BBF,SHA256=4D389928E47F47DB3C3E4EB3C12B4DDC360F4C07C096162094F0E6AA7BA1871D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260059Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9245-6149-3627-00000000FC01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260058Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260057Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260056Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260055Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260054Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260053Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260052Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260051Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260050Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260049Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9245-6149-3627-00000000FC01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260048Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.281{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9245-6149-3627-00000000FC01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260047Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.282{C189DCE5-9245-6149-3627-00000000FC01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000260046Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:23.210{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-19895-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260045Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.016{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0B8FE845360DC6644F7B494D9A93D5,SHA256=D54D157CFA3C4B82D1663A679099A2E31F1EBEF04E1DC664E700E02B6D98896A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260077Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9246-6149-3727-00000000FC01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260076Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260075Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260074Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260073Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260072Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260071Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260070Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260069Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260068Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260067Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9246-6149-3727-00000000FC01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260066Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.547{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9246-6149-3727-00000000FC01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260065Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.548{C189DCE5-9246-6149-3727-00000000FC01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260064Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.532{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD2CD202E70B70178D771732D8E4E0D,SHA256=986EEC64B06A76D929829DBCF2B173B6CE13C564A90077F041ADD86A9A64DC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:26.412{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:26.267{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF23D11274527C7F68E91028C2EFEF1E,SHA256=BC9CD9FAF11187CBCC5748F2DB974C92EDEDDAD514AC6D859807390CFC0939D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260063Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.375{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FEBBE2793FAD2F9C0562E13314BC852,SHA256=460C289FDF7CF882A2B0BF32C691018D25A88094B3F5EFB417A1BCB6772DDD5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260062Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:23.552{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20294-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000297948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:26.121{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260082Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:27.703{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=141112FE88128B9C627A60155DC83AC6,SHA256=1DD0E9CC3D8B761BAC4ACFFD86829333746FE432C0E41DDA99ADE3F5FE196090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260081Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:27.547{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74E7D4E507C1B0FF96F523AF729A619,SHA256=5288FD2BB9F5BB20506B47A54CE3B030A94F666A74A1D3ACE4D60B338E4D3140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:27.372{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6281FC4688D8B14F867ADF2CA13EB171,SHA256=3A3E30B0D88E294BC58C5F9FD010BBCE50E02232E2F1D51860D457BA45A4A28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:27.371{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=315D3FB3A99CC6B8CA0CFA2322AFE37A,SHA256=C547FE2C80C4D00FF0F60F31AD73CA42EC28AEEA1625C4F1EF686EE605160787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:27.370{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6C5BAAADF2641B02BE6B180385F402,SHA256=02CE25784B587EB7F4DF16D5ADE862B72ACC755D455847741F02A70996364FAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260080Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:25.240{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22005-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260079Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.696{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260078Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:24.606{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-21446-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260084Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:28.547{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B07A8591C0CE43599C5A0A5ED824EBA,SHA256=D97D8C42F73E83014C59DD7D8D4C30AD95411A19516E237840AAA5A16CE54ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:28.623{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CFD1CE16102709B1F26BDA4C5C17127F,SHA256=572061C3762299B659DB9C821CE8C51E2CB1CCA573BEA3DB976C1659CF35BCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:28.379{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BD9CD0823180E3F391CEC6908FA979,SHA256=0BB16A50720A740F84BAC20D3ED2563E785ECCF4AA34226D7FF25ACF1AEE5B36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260083Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.248{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23021-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260088Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:29.610{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB8DB43FF57228AB1F490C89D2D3B2A8,SHA256=F3A7CD50A01048ABB5420493895A4198C934FECBF150A456AE841AD4FE9692A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260087Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:29.578{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D27342A8FCA3A093BCCE623798683CD,SHA256=5E09B2C6A6A4527A342E30600E1DA6D1FE2F4D49CC936234FB677F4C9901B196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:29.382{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5A8FBA56EF09B2760C06AB5C034A49,SHA256=A0972D8F591BBB0823D0475FCD7E166C3FFB819D92B9953E53A0DD73F14EE1E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260086Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:27.642{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-24564-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260085Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:26.663{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23465-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260089Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:30.610{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF36EE6BBB8DE054707728454C5D720,SHA256=7C7995FA6F63C30558EF779038FE73B72FF1A67F2B60DC166080D19ABE985860,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:28.383{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59225-false10.0.1.12-8000- 354300x8000000000000000297959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:27.597{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-63258-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000297958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:30.387{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D80B6DFFEFC80076BEC87483E209EA5,SHA256=3FA9111D108D81ED5BA71A33A2D09C4C8B08D01F3B8CC985B3A56F31632E0DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:30.073{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6281FC4688D8B14F867ADF2CA13EB171,SHA256=3A3E30B0D88E294BC58C5F9FD010BBCE50E02232E2F1D51860D457BA45A4A28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260093Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:31.656{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38935978286F34B08949131F2BF316D,SHA256=C29DED4E3B0F465890279C2F7C654AF08DB8576AAA6DAF33C09B7A0D2E7261E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:31.391{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B9D673DB876AE20875E239AD4ED7D0,SHA256=18ECD83E37C87E6ECBC2B13F1F4782FC118096EE1CA005EED23EE83819379F53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260092Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:29.194{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26074-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260091Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:28.181{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25111-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260090Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:31.000{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DB68948621DA59C9A25CCB6F10A681D,SHA256=304EF86297CC7340C9EABA8D3C514EAC7947942E71D6B1F13357B923C252A515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260097Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:32.703{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6BFB38107D654D68AF22F6D88D2CE8,SHA256=2D3300B8A6FE3CCAD137C89315CFAD557CAF2C3ECA21CDCA2D1CF8B5214BBD2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:32.396{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0463669F09196F75E57443808CDDEF,SHA256=41462CCE93E60F53C847FDF77F242999580C797FB43504D52DBA1BC1E7822225,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260096Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:30.328{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com54166-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260095Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:29.601{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26512-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260094Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:32.031{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4A7F8431440B4EF60F6687D17DA7F52,SHA256=4B261D48B3816465B27EEEC660F51566D2924A7828E14B99E760CC64B51689E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260102Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:33.719{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06281593F1A832577DD2CC288D2A133C,SHA256=6D0D1254B829F26CACAE0EDE27245BED455278EABE47C38987EB3051A8E7FBE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:33.659{5097E253-8792-6149-A129-00000000FB01}43166336C:\Windows\system32\sihost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:33.399{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF710D31F20BF37A0D106EB11629E86,SHA256=2637932761842B78D6F1A9C76BF81A9855A56CB7CCFADDDDC17FE4A4EF50BC18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260101Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:30.996{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28048-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260100Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:30.724{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27628-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260099Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:30.680{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000260098Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:33.063{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4314C3C3C97842E27E7F5EAB581C01A,SHA256=C25ED10C0E52DED14983C3D9EBFA27CB37EA29AF9013157B2F3F10EFAF1A17CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260106Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:34.719{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931C60B194FDFAE041AA4C04A3486072,SHA256=8ED2B5F258A7BE7AE75651FB13392E9800897AE9D8C33CADF1A8064025347E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:34.403{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39642DFDA6F53B7E19F35FDF05507F3E,SHA256=6D20AB8BC503D777A95557CE413CDA7E3723300E19A2F4C89FEE345904894975,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260105Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:32.633{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29603-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260104Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:32.211{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29195-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260103Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:34.375{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDD1B1980F67E2CE59AB38E80C4D6F7A,SHA256=8F0762B367200F167A58C1F20F786D881A3C716ED2CD33E8BDE1E7A5360B7645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260108Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.734{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6312F9610EB8D82A3E9CCB11E362E9CA,SHA256=6554856BA6333C101765139B8947A8F4DA5BAD2E6C969BBF6DD8D373246B819F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:35.407{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F794AD3F974287CF60C3A006C9C6CF,SHA256=513DDDA7D0E708ADF3A3E2AE0EC7AF3BB0C742D14B9FA9472359E4D447AE6B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260107Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.469{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56ADB5A8B8059D250F7BD3E4E92FD23B,SHA256=B1139025258A497011E0E70DD57181ADDEFF065044C450AF4A3648EFAFCF0B44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:35.148{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:35.147{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:35.034{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:35.032{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:35.029{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:35.029{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:35.005{5097E253-4849-6148-2600-00000000FB01}28724600C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26e5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000297966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:35.005{5097E253-4849-6148-2600-00000000FB01}28724600C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26e5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x8000000000000000260113Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.781{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6878786F2DCD5061E200118AD4A9BA1,SHA256=618003489E089A9B86DECC2E32593BFB02E8D236A50B8600E8E9DD70FDB406FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:33.884{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om31475-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 354300x8000000000000000297977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:33.556{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59226-false10.0.1.12-8000- 23542300x8000000000000000297976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:36.410{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:36.410{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4D508EFB4D02C9E4B2355DD986C664,SHA256=70C894513FD889592040948CBCF593B666137356E2BDD51480F871B7D41EA811,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260112Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:34.017{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31175-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260111Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:33.936{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31108-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260110Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:33.627{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-30642-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260109Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.297{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260126Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.797{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFCBA460DD6C33B8CDBF677D46E2415,SHA256=2F9AE4AD847220A62D60E36F4157F9D8A85994BEC636B3599C84A9B61C50B5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:37.850{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1372MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:37.412{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272735684AF114C1D86B0F79AF5262AB,SHA256=A66D12B000371990BDB1E4F31F6CBE4D7C051CB944FA9B023E21DF3194B922E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260125Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.648{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32680-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260124Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.570{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32617-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260123Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.491{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32546-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260122Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.412{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32504-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260121Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.334{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32427-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260120Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.256{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32332-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260119Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.176{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32253-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260118Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.097{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32167-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260117Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.021{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32095-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260116Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:34.221{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31374-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260115Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:34.105{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31271-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260114Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.609{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7FCAD38585AABB72B2068A2CD4E051D,SHA256=A06B616FCA5F73DEAAA8D457C01CA3DB3AFE5885342F8E3659F9BFDF60440A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260146Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.844{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19189FE33DBD3EAAFE5EED982CABAD4D,SHA256=D8906DB4F3201CB1CD4E4E2302A5B675408DA24030AFB2887DEF7EDDD0AC911C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:38.851{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1373MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:35.726{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59227-false10.0.1.12-8089- 23542300x8000000000000000297981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:38.413{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B8476D92B31954EF138466527F2C5C,SHA256=B61D224FB2C29216BCEFDF2A07622961E199043B9194647E0BB32E23011FD3CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260145Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.913{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34151-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260144Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.800{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34045-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260143Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.708{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33965-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260142Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.664{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260141Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.630{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33907-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260140Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.457{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33612-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260139Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.366{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33513-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260138Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.271{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33374-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260137Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.177{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33233-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260136Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.100{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33167-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260135Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.998{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33082-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260134Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.921{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33002-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260133Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.845{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32882-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260132Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.806{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32860-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260131Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.758{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50877-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000260130Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.755{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32780-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260129Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.727{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32749-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260128Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.677{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32710-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260127Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:35.654{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com13375-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260151Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.844{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F26D2620BB6981F78B79C42B04C61E,SHA256=389C7A2E39DB7D57EC61EF2ABED45B7B241DF7495016BA23AE7D29854FB985E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.976{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.976{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.976{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.976{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.976{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.976{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.976{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.976{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.945{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.914{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.914{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.914{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.914{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.423{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9941405D7DB3447CA04BC23E0D64F1,SHA256=5EF5EBC67708F0A616F09CADD2E26458E740AF443A8D52C7EB375ACCDFE973C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260150Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.189{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34421-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260149Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.078{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34356-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260148Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:36.997{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34269-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260147Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.172{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDDD3C04FE0156001024AA2BAC9442CD,SHA256=86FF3BCAE12CEDBBF6CF9FAFDD8C989C80481ED3100A2B22A74F04AD17D8C933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260170Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.844{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C75D6B4B1FBE82215BC96D4B06C6B4D,SHA256=76EF5E8566978550519A9ECCD09733DF01AD91F1D37D8803CFADD0C02C026A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.828{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848915DA2C5C50DDF1BAB44B4DAD92FF,SHA256=7A70BB793FE93026CD94A2E51CF5BF9492D0F5AC650C326CB228A4A995F8977F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260169Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.762{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35937-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260168Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.687{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35871-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260167Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.583{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35806-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260166Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.494{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35727-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260165Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.407{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35627-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260164Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.304{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35522-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260163Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.203{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35478-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260162Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.108{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35361-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260161Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.016{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35246-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260160Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.922{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35200-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260159Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.842{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35103-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260158Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.756{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34991-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260157Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.675{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34874-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260156Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.577{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34786-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260155Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.462{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34683-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260154Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.360{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34563-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260153Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:37.254{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34466-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260152Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.484{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99DCFBD8B59A1D98952596A3FC93D730,SHA256=4763972E392D336C6672EC4AB56AD49C050817768BBF1190F833DE699215CECA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.045{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.045{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.014{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.014{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.014{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.014{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.014{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.014{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.014{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.014{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.014{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:40.014{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000260186Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:41.859{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A49C63F9098489444F12C86868F50F,SHA256=025B05360AA08632A5F5E752BB169914CE1F04102AC643148353C87550F60B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:41.843{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859FEED729F99026C57CD70623A7DC6D,SHA256=B9377093CEABC306FA498FEBC3D1475E69E50864A3EDECA2EDADAE817727042B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260185Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.983{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37139-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260184Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.897{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37109-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260183Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.815{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37084-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260182Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.738{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37002-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260181Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.657{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36917-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260180Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.579{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36832-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260179Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.501{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36740-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260178Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.422{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36652-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260177Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.344{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36606-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260176Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.267{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36513-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260175Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.189{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36412-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260174Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.103{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36306-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260173Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:39.026{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36156-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260172Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.919{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36100-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260171Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:38.841{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36032-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:42.926{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2EE5B5F84F84BDF1D7AF6460F0CC9F,SHA256=66AD40FCED19A8AB89B7B5A11924AA9E56E0D15775F01C5397085374F4DDF353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260195Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.891{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3709D4E39B15C8279E4058214F1BD30E,SHA256=76FFCA153F2C00CBB594BAE7126617D011195146C533B18BECD1D7F63524BE56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260194Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.424{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37789-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260193Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.327{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37683-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260192Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.247{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37571-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260191Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.210{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37552-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260190Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.164{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37491-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260189Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.131{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37334-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260188Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.076{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37166-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260187Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.016{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4899971F517259A94F4C3715318AD86D,SHA256=42CCA8573ADBB15250107D775BD00026C24E09E287419685EBD412703AF3CC31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:39.523{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59228-false10.0.1.12-8000- 10341000x8000000000000000298026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:42.258{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:42.258{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:42.158{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:42.158{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:42.158{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:42.158{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000260212Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.895{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562FABBFF60EAC4871A8D9BA17F060EC,SHA256=23325F2E0E85124553061A9BE48585FEDA318CB6D80F48AFF9A0D5FF28AF183C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.788{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.788{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.788{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.772{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.788{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.772{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.772{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.772{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.772{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.772{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.772{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.772{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.756{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.756{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.741{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.741{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.741{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.741{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.741{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.741{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.725{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.725{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.725{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.725{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.725{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.725{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.709{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.709{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.709{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.709{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.672{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.672{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.672{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:43.672{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000260211Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:41.963{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39272-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260210Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:41.851{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39206-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260209Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:41.772{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39124-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260208Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:41.713{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39024-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260207Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:41.672{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38965-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260206Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:41.578{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38856-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260205Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:41.398{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38712-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260204Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:41.289{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38581-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260203Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:41.139{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38490-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260202Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.979{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38418-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260201Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.896{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38350-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260200Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.817{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38283-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260199Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.733{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38107-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260198Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.585{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37982-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260197Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:40.501{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37955-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260196Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.724{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1C97E6F6DB0E45E1E94EADBD1791D10,SHA256=5772B0743BD5E188FFA358AA1D51735E17D95CC5C13F4938C01638EBA66855D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260221Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.978{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1364MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260220Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.897{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D2E65C265F90987AE7E6EEE92E0982,SHA256=89BF50DF1A02D1B52E946D08B7071227912E2C34D6F5320E71306536BC4BC864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.187{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C96FC09BDFAD4CCB118997E7DB73A01,SHA256=CF048A3DC5572F0244C4730403740182EDC864D6CE0CEDBB23464408543A3155,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.140{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9258-6149-B22B-00000000FB01}5040C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.140{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9258-6149-B22B-00000000FB01}5040C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.125{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-9258-6149-B22B-00000000FB01}5040C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.125{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-9258-6149-B22B-00000000FB01}5040C:\Windows\system32\DllHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.125{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9258-6149-B22B-00000000FB01}5040C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.109{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9258-6149-B22B-00000000FB01}5040C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.109{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-9258-6149-B22B-00000000FB01}5040C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.072{5097E253-923D-6149-AE2B-00000000FB01}76365968C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cc7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A07F5)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\combase.dll+b75fd|C:\Windows\System32\combase.dll+b83a8|C:\Windows\System32\combase.dll+b5caf|C:\Windows\System32\combase.dll+b5ba5 10341000x8000000000000000298066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.072{5097E253-923D-6149-AE2B-00000000FB01}76365968C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ac9|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+17f43|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+3c365|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+41e53 10341000x8000000000000000298065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.072{5097E253-923D-6149-AE2B-00000000FB01}76365968C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b4d|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+17f43|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+3c365|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+41e53 10341000x8000000000000000298064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.072{5097E253-923D-6149-AE2B-00000000FB01}76365968C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81aad|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e 10341000x8000000000000000298063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:44.072{5097E253-923D-6149-AE2B-00000000FB01}76365968C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81aad|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf 354300x8000000000000000260219Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.646{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40030-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260218Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.567{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39967-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260217Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.508{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50879-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260216Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.490{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39763-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260215Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.405{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39681-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260214Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.271{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39522-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260213Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.122{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39386-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260238Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.991{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1365MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260237Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.912{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2DAF2EF461F1AB6004B65D486E86C7,SHA256=85F3C43DCBF0137FBF6905DA25BEC9080870EE9995E66C85C7111B1B2A66469F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:45.086{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CBA7BDFFF33C3E8ACFE6091A51E3CB,SHA256=CA1A58FAAF992AA204626B820FE35615FAA6D3CDC2AF2C7DC1904B8A352278C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260236Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.908{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41263-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260235Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.809{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41223-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260234Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.708{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41115-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260233Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.624{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40884-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260232Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.487{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40777-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260231Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.380{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40710-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260230Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.302{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40637-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260229Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.277{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40599-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260228Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.225{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40513-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260227Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.139{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40468-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260226Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:43.062{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40412-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260225Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.984{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40319-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260224Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.907{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40191-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260223Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:42.788{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40047-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260222Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.147{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06EB88CBB96C5D0928443A8673BA31BA,SHA256=6F035CBB7CB1B8E6EFB71309824061D0F12D471B329D988DEC662DEF37A819AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260252Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.944{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A73C98650592FB57A70F8F73F039308,SHA256=095D2A52516729C8944FE2ABD333592039061076DF95D4916C81F99EB09CC4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:46.123{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5179047A9E4E947AF09186CDD590D736,SHA256=7B8BE3CE5B96486441E74864CC58FE1E67830764FBDBE7F57067C599A514C681,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260251Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.103{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42455-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260250Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.994{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42286-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260249Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.877{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42216-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260248Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.786{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42180-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260247Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.682{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42127-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260246Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.584{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42088-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260245Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.507{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42010-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260244Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.427{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41804-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260243Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.328{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41702-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260242Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.179{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41587-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260241Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.089{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41507-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260240Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:44.007{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41337-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260239Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.647{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D20A3E858B2FD11D74755777FD64ACE,SHA256=3CEC3AB3FBF2E835BBDEC57BE3617927DB4D5BAA370C627E893696AA364C5230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260261Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.991{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1175DA4E9DC9DC3405300D6D60604F03,SHA256=55EDE74945C8F07EC214F5D1F7FA75686D7638975EE6DDB3F747226BB0892B31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260260Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.869{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43292-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260259Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.793{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43244-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260258Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.715{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42693-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260257Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.635{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42674-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260256Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.527{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42669-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260255Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.409{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42662-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260254Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.297{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42650-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260253Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.194{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42521-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:47.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EC4A3AA332BDF088922800F82EDFD34,SHA256=1BF532711311806D05A5D68EA4410DB00DDB064CE91DFE6B1EE93466B5F80541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:47.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBA2655E4F8D36ACD25A6DA29634FBCA,SHA256=264036D6EBAAFE02220EC8A76DA45BD87D45E7ABE67101C2EA6379ED60D6DD6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:45.539{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59229-false10.0.1.12-8000- 23542300x8000000000000000298078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:47.123{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2B9AC58D3D1D9BBD1D0727548B8E6F,SHA256=B229AED6B16F56A60FA68389E1335983CBFAF53C6425F17E7BA905D4756A7E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260262Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.006{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C75BAC66995F10786D765A7442DDB0B,SHA256=2C154E35F67774C1AFCED9CCC1819CA38ABBC703E4857692AE9A3BFA0A31E37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:48.138{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010F7B5A2CEA9421068F69C5EB42CA8E,SHA256=F998C63C4CB6F5602DC4A6F061816678447EC3237E2CB3520F0DBBA0DDC0A5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:49.152{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEA47FA85C286A7AB1DFFF5812FA2CB,SHA256=AFA6B7261D289F43EA1E66BFA24A3CD3F76AF5E95CCECE3F5B7689D4A351F126,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260290Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.114{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45518-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260289Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.037{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45465-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260288Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.959{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45400-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260287Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.867{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45288-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260286Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.761{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45135-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260285Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.702{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50880-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260284Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.662{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45100-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260283Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.591{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45056-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260282Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.578{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45043-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260281Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.505{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44957-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260280Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.409{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44915-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260279Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.332{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44778-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260278Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.250{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44619-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260277Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.165{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44450-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260276Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:47.047{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44266-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260275Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.830{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44105-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260274Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.444{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9020C626ADDB1CE9EE434746E184258E,SHA256=A68DDF47DB33D2A7E8275BA3AFD8E5AB116BAE579D063248FFFF97540D17E14D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260273Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.006{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E58CE7D339A4E0AD6C029F461BA78E5,SHA256=EB54F4E2789B4A1ADB3164982A7D0F7BDB6FED0DA80D11E04E1665BC0734A327,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260272Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.739{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43977-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260271Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.585{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43927-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260270Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.505{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43881-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260269Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.425{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43797-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260268Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.347{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43717-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260267Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.267{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43635-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260266Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.214{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43555-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260265Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.125{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43525-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260264Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:46.049{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43453-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260263Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:45.953{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43333-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:50.166{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883A97AFC384AF402CBCD47AE2BB7291,SHA256=FF02FD811EE0F6AED29F3DE9EAA3086F2B9ABB97DBF12B4384CADC20A44A43DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260303Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.991{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DC0A761C2AF4FB24DDB710E8699D192,SHA256=98310B97654709188489EC51476636E8100C97D169DED0491E750DDEADF7AB01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260302Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.148{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46577-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260301Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.092{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46532-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260300Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.058{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46505-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260299Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.974{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46431-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260298Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.883{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46163-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260297Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.724{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46064-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260296Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.625{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45999-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260295Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.538{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45969-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260294Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.461{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45890-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260293Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.378{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45641-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260292Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:48.226{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45544-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260291Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.037{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21914CF97A52AEF3ABF1C2CA1E916F2B,SHA256=7127F035C3C578C6383D4A5A795E0F9A846D8ADA7F5F757AA37A233300F29472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:51.181{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708438B379F821FD3A15201DC15E6293,SHA256=9F9257FCFF8C31F5DA6552CE36792C1E215A498F9AEE83F1452865B68B54A3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260304Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.100{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CBE51666149F9036C84E0EAA0962C6,SHA256=A614FEB4C523B7A5EFAE7FDDD4ABB58F99FEF06F64B7749F2ADB148AFF351998,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260328Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.889{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48424-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260327Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.796{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48296-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260326Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.707{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48175-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260325Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.622{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48143-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260324Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.610{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48133-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260323Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.543{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48091-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260322Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.528{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48070-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260321Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.447{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47934-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260320Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.360{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47771-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260319Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.227{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47698-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260318Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.124{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47635-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260317Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:50.028{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47475-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260316Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.945{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47343-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260315Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.475{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FCD48FFB27F982C7160D6AEB8363CE4,SHA256=BEB6668675C43D85AF02ADC32E78026168FDFBA40841364E8C6650B985FF9FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260314Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.131{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FD8F0CCBE8F8E60AC8ED37424542DA,SHA256=9640E5472B5A2AD656ADBB811AC000C4708087F577F72D35392653445DA743E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260313Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.821{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47252-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260312Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.727{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47151-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260311Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.647{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47084-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260310Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.570{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47012-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260309Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.492{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46942-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260308Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.413{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46881-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260307Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.335{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46759-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260306Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.249{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46662-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260305Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:49.199{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46607-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000298100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.978{5097E253-9260-6149-B32B-00000000FB01}58486816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.763{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9260-6149-B32B-00000000FB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.763{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.763{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.763{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.763{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.763{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9260-6149-B32B-00000000FB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.763{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9260-6149-B32B-00000000FB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.595{5097E253-9260-6149-B32B-00000000FB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.200{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992B49371D6937E84E21E9FC4774FB60,SHA256=C4D18443EC6743C7887CD235BBF838C386925B648CA1423D9B35BE9BABEE6654,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.197{5097E253-923D-6149-AE2B-00000000FB01}76365968C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cc7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A07F5)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\combase.dll+b75fd|C:\Windows\System32\combase.dll+b83a8|C:\Windows\System32\combase.dll+b5caf|C:\Windows\System32\combase.dll+b5ba5 10341000x8000000000000000298089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.179{5097E253-923D-6149-AE2B-00000000FB01}76365968C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b4d|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+17f43|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+3c365|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+41e53 10341000x8000000000000000298088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.179{5097E253-923D-6149-AE2B-00000000FB01}76365968C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ac9|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+17f43|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+3c365|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+41e53 10341000x8000000000000000298087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.179{5097E253-923D-6149-AE2B-00000000FB01}76365968C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81aad|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e 10341000x8000000000000000298086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:52.179{5097E253-923D-6149-AE2B-00000000FB01}76365968C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81aad|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf 23542300x8000000000000000298111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.662{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=793C28794F084A59DF95E912C67E697B,SHA256=31334910833D4A4595B6207F67831CE9BED80BDA964F87607B9FECB19EFE4DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.662{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EC4A3AA332BDF088922800F82EDFD34,SHA256=1BF532711311806D05A5D68EA4410DB00DDB064CE91DFE6B1EE93466B5F80541,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.478{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9261-6149-B42B-00000000FB01}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.478{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.478{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.478{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.478{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.478{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9261-6149-B42B-00000000FB01}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.478{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9261-6149-B42B-00000000FB01}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.479{5097E253-9261-6149-B42B-00000000FB01}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:53.215{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B242346A2524D79433FFD930A67B90,SHA256=CD836400B5683D7EB7FA51708ACB0575EC442487ECBA90271F886BBB048CF254,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260346Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.145{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49695-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260345Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.089{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49649-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260344Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.042{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49605-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260343Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.005{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49570-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260342Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.925{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49406-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260341Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.902{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com53654-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260340Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.833{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49317-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260339Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.747{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49221-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260338Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.668{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49123-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260337Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.589{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48988-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260336Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.507{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48928-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260335Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.423{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48868-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260334Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.344{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48825-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260333Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.265{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48776-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260332Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.187{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48715-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260331Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.110{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48629-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260330Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:51.002{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48485-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260329Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.162{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6B6090AE2D726160697BD09814DDDE,SHA256=68DD44D77C5BD8D728819BE8274DB6E0B79D6A6794EC29F8EE8388493026557D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.973{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9262-6149-B62B-00000000FB01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.972{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.971{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.971{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.971{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.971{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9262-6149-B62B-00000000FB01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.971{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9262-6149-B62B-00000000FB01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.831{5097E253-9262-6149-B62B-00000000FB01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.322{5097E253-9262-6149-B52B-00000000FB01}43688036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.300{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B4821CB5406006B29C383453349CF6,SHA256=45BD1CFA26464450508A38199DBA014D83449E8FA2A644FE83B3BD3E7E733E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260348Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.178{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A23F666D4587338AD382BB769BE669,SHA256=D7E93F3469C6150E4B869394073319E5917DF06ECF25AB1B668BFEE66C4C446C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:51.467{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59230-false10.0.1.12-8000- 10341000x8000000000000000298119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.161{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9262-6149-B52B-00000000FB01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.161{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.161{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.161{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.161{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.161{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9262-6149-B52B-00000000FB01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.161{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9262-6149-B52B-00000000FB01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.162{5097E253-9262-6149-B52B-00000000FB01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260347Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.115{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08826E0C4C33A9D8312A66EB17BB72F3,SHA256=995A96C2DA9D7DE69CF94B2DD4E372FE48628A2CB737F128D2AD1549612D9E6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.802{5097E253-9263-6149-B72B-00000000FB01}50724500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.687{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\uninstall_ping_308046B0AF4A39CB_54694f5b-c58a-42f9-abf5-b924396f2d70.jsonMD5=90BAE596A97FDDEA01CCC9A0B8D63DAA,SHA256=4434F339670637C022899AEC52B1506FB20D6C101F4A4B20007BB6CE203AC19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.665{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\session-state.jsonMD5=1FF39E8C1CA69270CE7BD52432AABBBC,SHA256=7217C5836A85B934A26D68464AC467B1DE4DBC29A99A1BFDA68772212EA2FC86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.650{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.650{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.634{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9263-6149-B72B-00000000FB01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.634{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.634{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.634{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.634{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9263-6149-B72B-00000000FB01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.634{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.634{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9263-6149-B72B-00000000FB01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.635{5097E253-9263-6149-B72B-00000000FB01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.303{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7D2C44B3EB9B7CED339AD750B45141,SHA256=8631E9640FBD6AE872251699D5D505720FE3AB8B2B350D299B18A078AC1152B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260363Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.774{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55FD15F535C535980D6024E43B880BE4,SHA256=14D320DE0F5417B3CF12465AF5B6F4A29FD6AA27D986CC9D65EC7F9649186DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260362Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.195{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C49934B03BB305F9E2C14D9903B599,SHA256=B073666146B4104F4080685A72CF26AAAC79FCA2C95EA3DE72A5AC713D6278D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.135{5097E253-9262-6149-B62B-00000000FB01}67287560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000260361Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.317{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50869-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260360Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.232{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50758-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260359Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.122{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50679-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260358Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.010{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50556-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260357Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.917{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50498-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260356Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.840{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50426-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260355Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.763{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50341-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260354Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.717{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50881-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260353Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.688{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50266-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260352Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.611{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50184-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260351Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.527{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50004-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260350Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.363{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49934-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260349Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:52.258{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49770-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.633{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1703612C96C5E54982EB8F75BBB6A06,SHA256=2C76F33207B751B3B40B37A93B0A51176D7932E46E61DBB272CAC3A75F8966AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.533{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=793C28794F084A59DF95E912C67E697B,SHA256=31334910833D4A4595B6207F67831CE9BED80BDA964F87607B9FECB19EFE4DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.533{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520BE2992F1346B3B8BEB7128BD9E01C,SHA256=80BDED10C51906E5720C4D131B20A8F7F0E1B5833968D9F6EB6D55D4E4C76AA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.449{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9264-6149-B82B-00000000FB01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.449{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.433{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.433{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.433{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.433{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9264-6149-B82B-00000000FB01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.433{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9264-6149-B82B-00000000FB01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.319{5097E253-9264-6149-B82B-00000000FB01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260376Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.211{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDD9519E7C49B3F25592509D63D698C,SHA256=65BF5FEED11C58178BD35F4AFA5B1605764D8718628B8E6236D2E5206DFA569F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.049{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\saved-telemetry-pings\94eb593a-01ea-4e24-bc41-f15635d7f61bMD5=F61CF42B93F2B5DAFDCD6D5FDB50DC79,SHA256=EB195FB9C07FC59F28D6BD293D1341789A5B2F14FE8AC41F1532CA6FF54D90F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260375Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.336{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51919-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260374Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.227{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51849-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260373Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.109{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51659-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260372Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.973{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51530-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260371Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.810{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51488-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260370Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.769{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51435-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260369Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.734{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51409-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260368Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.692{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51318-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260367Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.650{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51280-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260366Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.571{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51158-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260365Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.490{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51109-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260364Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:53.413{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50961-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 22542200x8000000000000000298163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.653{5097E253-9226-6149-A12B-00000000FB01}4420pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com054.70.80.82;52.27.6.50;54.190.205.249;52.37.158.247;52.43.83.211;52.38.12.166;54.148.159.250;35.167.137.152;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000298162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:57.485{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD46E31F548DC533B79148B1DA81235,SHA256=F179BEC4490F10E05639B6A9B015DE17327485ABA92BB30985E57E84430EC8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260386Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.226{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E8EBAF6B9000690F32010C44A317EC,SHA256=E08E22AA5F76D0C5CF553F3D7183D193B5CE493427DB2B6A3A5C643A6403A3EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.319{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63431- 354300x8000000000000000298160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.979{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64385- 354300x8000000000000000298159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.978{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50884- 354300x8000000000000000298158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:54.976{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local65531- 23542300x8000000000000000260385Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.195{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD8292D24206B4C9A1109EDA0F381426,SHA256=E0F0855B113364D88A749ECD3FE350B6896D845002A9E3BCF63A1A0527C6AB34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260384Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.122{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52734-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260383Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.995{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52636-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260382Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.903{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52575-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260381Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.801{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52480-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260380Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.721{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52383-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260379Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.638{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52306-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260378Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.556{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52105-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260377Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:54.441{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51986-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260399Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.445{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=158228719B3CFCD40C34D566682B68E7,SHA256=B3EA8DC26CE04588CF21222870023C5211F10B884A400E141D16CBCE36893158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260398Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.242{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD3AF06050CFB178F1C6D353C898D17,SHA256=171E2FBB4C660A86CF2147D31EFA511ED38253B4511349890F2477EC0E9A5B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:58.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D1B7B2A9B7317E209052348404F6D7,SHA256=3547B18F25A9F2C6E0BEEF649911D03F8859B9EF19F51D553F5A3DAF1F8DA55D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.850{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59231-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000298164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:55.850{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59231-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000260397Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.144{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53771-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260396Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.061{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53729-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260395Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.979{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53642-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260394Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.896{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53544-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260393Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.818{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53442-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260392Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.740{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53361-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260391Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.659{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53243-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260390Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.581{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53185-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260389Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.492{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53139-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260388Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.411{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53047-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260387Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:55.373{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52994-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:59.530{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5E41D81E1851ACAED271DC6F0A8C49,SHA256=927AAEDE4E4832764C77D5FEE8E1F63712F7C27B9D8B3DA707E839E964C4A420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260408Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.257{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75CC7A96B4E9572FA42703FE3F7187E2,SHA256=D4A6D3A6E663351942867768A5C2DC312CDB994BFACB4C3747516B546121869E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260407Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.840{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54570-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260406Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.762{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54437-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260405Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.665{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54370-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260404Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.586{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54271-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260403Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.508{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54102-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260402Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.421{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54040-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260401Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.302{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53956-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260400Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.226{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53884-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000298167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:05:56.534{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59232-false10.0.1.12-8000- 10341000x8000000000000000298190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.647{5097E253-8792-6149-A129-00000000FB01}43166336C:\Windows\system32\sihost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+4906a|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.647{5097E253-8792-6149-A129-00000000FB01}43166336C:\Windows\system32\sihost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e6c3|C:\Windows\System32\modernexecserver.dll+1e7b1|C:\Windows\System32\modernexecserver.dll+3ac16|C:\Windows\System32\modernexecserver.dll+22087|C:\Windows\System32\modernexecserver.dll+29989|C:\Windows\System32\modernexecserver.dll+2c80b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000298188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.631{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.631{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.631{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.631{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.631{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.631{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.615{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.615{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.615{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.615{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+2a5990|C:\Windows\System32\TwinUI.dll+2a80aa|C:\Windows\System32\TwinUI.dll+287b97|C:\Windows\System32\TwinUI.dll+286ff4|C:\Windows\System32\TwinUI.dll+287217|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000298178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.615{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+58f0f5|C:\Windows\System32\TwinUI.dll+287c5e|C:\Windows\System32\TwinUI.dll+287b71|C:\Windows\System32\TwinUI.dll+286ff4|C:\Windows\System32\TwinUI.dll+287217|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 23542300x8000000000000000298177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.562{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450493C8E34E7A822C673C923A07FD49,SHA256=3003E27022F314E695C567964DB7E2C59F390F14F7C3911B30B5E33AD755FEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260428Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.273{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A516DBDE9F1D3EC05ACDFF7B9426BC81,SHA256=0C9C3A490AEC45C524EA7F9506D0571EFE71D748B399C1F88A758A4FC81697BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.045{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9268-6149-B92B-00000000FB01}7208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.045{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.045{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.045{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.045{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.045{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9268-6149-B92B-00000000FB01}7208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.045{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9268-6149-B92B-00000000FB01}7208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:00.046{5097E253-9268-6149-B92B-00000000FB01}7208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000260427Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.172{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55980-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260426Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.161{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55972-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260425Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.079{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55896-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260424Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.075{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55893-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260423Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.000{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55825-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260422Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.998{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55826-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260421Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.921{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55730-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260420Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.843{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55647-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260419Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.764{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55520-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260418Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.680{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55466-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260417Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.604{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55389-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260416Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.527{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55307-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260415Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.446{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55210-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260414Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.363{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55009-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260413Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.257{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54847-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260412Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.157{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54812-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260411Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:57.000{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54719-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260410Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:56.918{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54671-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260409Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.148{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=083DFE08AFA7D18B79BBF3420C52E98E,SHA256=3DB729D732EE4AE370E1C06B0697592C7C6FFD47ACC073763D39CBB37D93EED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:01.599{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A2D333CEC9854743BD64746C2B5C64,SHA256=99409DA8A417E59922B1886A88E90CB3DF3F2CB829E08B3E69BF3CE72B0AEAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260443Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.304{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A4A9421B14081AB67909F8738640CA6,SHA256=1EAD180DC2E85640789074CC8BBEFB27C3DE402E646CCF5B386D147EF33A2E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260442Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.289{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C67F2411172EDE7DAFE92A4571F7070,SHA256=11AFE077FC1E2050AC18C2F5771C98D92992BCC7AD1FA21027B723E9BAD9BC70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260441Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.442{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57258-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260440Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.341{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57131-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260439Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.247{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57081-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260438Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.151{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56977-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260437Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.056{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56866-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260436Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.972{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56784-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260435Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.871{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56616-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260434Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.766{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56537-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260433Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.677{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56476-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260432Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.625{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50882-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260431Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.602{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56330-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260430Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.521{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56240-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260429Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:58.259{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56040-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298247Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.907{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A1ECBD2833A3AC2A86C5997F42C3CE,SHA256=D2EDFA02269962C3ADAC0E87B6865EC73273AA9052127AA468008C2BCED0C1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298246Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.903{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DC67B9C4E89F4F871884D07BFA2886,SHA256=CCC8A6A90E0100818196A1ED1072FC249D7118617AECA6407261F88FA3408A14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298245Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.727{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\TwinUI.dll+381436|C:\Windows\System32\TwinUI.dll+38153b|C:\Windows\System32\TwinUI.dll+37f40f|C:\Windows\System32\TwinUI.dll+1ee2e|C:\Windows\System32\TwinUI.dll+1e6df|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000298244Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.672{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298243Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.672{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298242Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.672{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298241Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.671{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298240Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.663{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298239Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.663{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298238Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.663{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298237Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.663{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298236Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.663{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.663{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.663{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.659{5097E253-8792-6149-A129-00000000FB01}43164828C:\Windows\system32\sihost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.619{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.619{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.619{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.619{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-923D-6149-AE2B-00000000FB01}7636C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000260453Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:02.320{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B123172F318E6BF71EDA97ECAC597E71,SHA256=1C3EEF7225EA11E49E5449790A69EF9368DC339F0A7F0AF7657135C3B67FA42A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.463{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.463{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.459{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.451{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.443{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.443{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.439{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.439{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.439{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.431{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.431{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000298217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.431{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000298216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.431{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+2129ac|C:\Windows\System32\TwinUI.dll+b7750|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000298215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.431{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+2129ac|C:\Windows\System32\TwinUI.dll+b7750|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000298214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.427{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.427{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.427{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.427{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.427{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.427{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.427{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.423{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.423{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.423{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.423{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000298203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.419{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.419{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.419{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.419{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.415{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.415{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.415{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.415{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.387{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.304{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\indexMD5=3CCBFF536B87F80F44C135E2376068AE,SHA256=E53A390B806985268DAB304C31513D79EDE3993150784D51E206E68B2DFD893B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000260452Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.368{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58158-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260451Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.282{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58108-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260450Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.127{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57974-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260449Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.052{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57886-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260448Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.976{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57770-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260447Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.890{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57660-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260446Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.777{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57604-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260445Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.699{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57545-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260444Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:05:59.523{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57332-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:03.684{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B528668677B90D90A025DA05CCCDB9,SHA256=4956FBB19C32BE662978911E3F96F9784316DCE8B95EB90ECB3FF53FEB77B54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260471Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:03.331{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73C3BF197AD77F778E09D6CCDB6EF97,SHA256=E56C461E7AE7AE6DC68FD257F2CB69FC33E8079A014137FC93A25D47274E60C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:03.504{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:03.504{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+106d66|C:\Windows\System32\TwinUI.dll+fcc75|C:\Windows\System32\TwinUI.dll+feecd|C:\Windows\System32\TwinUI.dll+17f1e8|C:\Windows\System32\TwinUI.dll+1539d7|C:\Windows\System32\TwinUI.dll+253f8e|C:\Windows\System32\TwinUI.dll+37e6ad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 10341000x8000000000000000298248Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:03.504{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+106d66|C:\Windows\System32\TwinUI.dll+fcc75|C:\Windows\System32\TwinUI.dll+feecd|C:\Windows\System32\TwinUI.dll+17f1e8|C:\Windows\System32\TwinUI.dll+1539d7|C:\Windows\System32\TwinUI.dll+253f8e|C:\Windows\System32\TwinUI.dll+37e6ad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 354300x8000000000000000260470Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.359{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59193-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260469Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.274{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59171-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260468Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.186{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59104-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260467Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.185{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59103-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260466Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.108{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58993-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260465Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.028{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58862-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260464Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.945{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58813-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260463Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.933{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58809-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260462Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.866{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58767-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260461Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.856{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58761-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260460Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.788{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58684-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260459Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.709{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58602-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260458Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.631{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58507-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260457Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.553{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58345-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260456Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:00.451{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58240-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260455Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:03.206{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B04589B0FE3D068661AE0D91AC5D12DC,SHA256=52FDC203430C41D26DE70046DE79351E85293EFE3CAAFB5E91047265406D78A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260454Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:03.023{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=288D03263735BE1D1285AE1DA15CA136,SHA256=C1C16089E0AD47693FFE47CB25475A10DDD5596B1DB4D330935B8EE0D835DD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:04.689{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CBB6341253915512C120C08CF97028,SHA256=24499A0DD005A89F63883C64D117B557C6D23365A4D57C843A352EF1F6BDE41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260486Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:04.346{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3AD8C2FF50B6E799F032F27951D0A8B,SHA256=C4E594928AEB8D0F7CDB78E9DD0ADF83282C8CE7B4D77987D99F5936EB7A2B16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260485Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:02.597{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1680-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260484Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:02.431{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1504-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260483Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:02.349{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1411-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260482Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:02.250{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1252-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260481Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:02.155{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1126-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260480Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:02.043{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1046-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260479Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.954{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59958-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260478Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.874{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59863-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260477Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.796{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59683-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260476Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.688{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59599-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260475Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.607{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59543-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260474Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.527{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59464-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260473Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:01.448{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59318-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260472Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:04.237{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D61D5452978C2C5FFB7A4BCB389D8288,SHA256=6E796E8BD08E90FFD847DCF32D8685576EDC8A72472FA9C852F3FC9ABD061F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260488Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:05.862{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0DA1AC5723E6EDFB8CB79322D73B1C0,SHA256=0A5D36F3455497B7985DB420418E57C06FA67FDD6B537301D1D5A53FA2A3946B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260487Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:05.362{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE7547428B855BBDAF93D96FA5377F9,SHA256=0F9106EED6FB4DDEBC64726CF50772474F9F1FA78146C5609EA7BE4BDA75BFAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.673{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.671{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.671{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.670{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.670{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.670{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.670{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.666{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.554{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.554{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.550{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.550{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.550{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.550{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.538{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.538{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.538{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.538{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.534{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.534{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.534{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.534{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.534{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.534{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.534{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.534{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.526{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.526{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000298262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:02.472{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59233-false10.0.1.12-8000- 10341000x8000000000000000298261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.430{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.430{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.154{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.154{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.154{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.154{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.154{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.150{5097E253-8792-6149-AA29-00000000FB01}48165736C:\Windows\Explorer.EXE{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\SYSTEM32\SndVolSSO.DLL+bf8a|C:\Windows\SYSTEM32\SndVolSSO.DLL+c112|C:\Windows\SYSTEM32\SndVolSSO.DLL+bb05|C:\Windows\SYSTEM32\SndVolSSO.DLL+7c7a|C:\Windows\SYSTEM32\SndVolSSO.DLL+1355|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000298253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:05.153{5097E253-926D-6149-BA2B-00000000FB01}3992C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,soundsC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000260493Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:06.409{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20C2D12714EF07E311C87A65598007F,SHA256=C5429EF16647912E0F3061ACDC5246EFBBE3603771D287E5774AF851A523EEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:06.243{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:06.243{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:06.159{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B233263FD47671DC63D89CF6911792B,SHA256=C39298A47891AB3EAEA4BE846A4ABE38A2966B810B7F3CF552CEC425A23D487C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:06.155{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E15CB142DE152A40DE5CAD04A2C9163,SHA256=688F78AC7EAF770BA656177AB9BDDB770D549230FDCBDCA1D3F01B3FB1B99C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:06.026{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A5C7D43E5C7613D3FEBBA07A3E604F,SHA256=DE1747F5AF6E94910E83FC24ADC40EF1BE3CA03B8C5D6C655E400EBA32A9EAA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260492Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:03.990{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3114-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260491Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:03.977{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3089-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260490Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:03.899{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3021-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260489Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:03.822{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-2954-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260499Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:07.581{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8F645B5E4A0308CBDB104503F967CB,SHA256=31BF74B260EF7D81C92C5B9F12473C746F51F89406DCBD62E45FB7EF32FF7D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260498Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:07.424{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A8E5FA79B1B78DD64FECEAD5B9324B,SHA256=66445ED55CC16D8B71EC978628F2BC890AC4DEEBFED6761C46072720FB063570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:07.036{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7304B903C642143B98161A1187143C,SHA256=D1AE08D2292350C7FA80A8031211FD44340F1281E6A55869A6394D0D013BA8F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260497Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:05.712{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4694-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260496Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:05.487{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4624-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260495Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:05.486{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4616-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260494Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:04.573{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50883-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000260501Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:08.971{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15AE944D8D79A82209F54C3D11699A78,SHA256=6AEF5019E385AF97EBAE5729F35FD8A8155326D03CEFC1A64550ECB6D1FB0CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260500Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:08.424{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945CBE395F900E048E149F118BAB7536,SHA256=11A9611D56B3448559612E34FA9362EA2CB8948100A43700B204E49495268A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:08.037{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55187F54D321E0FFB91F6890C95BAD8F,SHA256=8401AE56C37A3A2EBC512CB90DB687D80C9D4D5641345BFCD3D39CC9D53BABFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260503Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:07.175{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6209-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260502Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:09.440{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292AC3D552763F8B69435FC8CC404621,SHA256=5AF427D666A347156C69A2237CA9F1732B7CA89635C532E4B669EFFD5C6A5DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:09.038{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66973E0E91BB5C08056E4C99F1BBCE80,SHA256=8205ED2AA9CE08FBEB52BE7362BAE306CFA61DB7AA1D6B1F76F41116DAD502C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260509Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:10.534{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9CADB9589257D8CE662F5336D4F5A08,SHA256=2A8F093829B921153F3C5410BD294AA707FBD92A8A93043A59A399407885FB84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260508Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:08.669{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7799-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260507Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:08.593{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7715-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260506Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:08.578{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7648-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260505Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:07.240{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6237-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260504Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:10.456{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B21B4470953E0D36803FE19B1CB750,SHA256=29EA0FE74703701AF43DFE5F62111316CD1FB320F4ECAF3A9F0632F3E8C0031C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:08.378{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59234-false10.0.1.12-8000- 23542300x8000000000000000298299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:10.051{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2BDB94EFBE1B7C9708E370B6AD9A01,SHA256=F8E8E2B69808C1C09E7F2D9448A01DC8C8A1E998EAC56D796E36C80F04CAFDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260511Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:11.893{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3195A9C25930BAF8C2645A18B6A749D,SHA256=98A04B6DAD47013CACA8D7A08D40423E650F34525BA546A30B0F715EC580EE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260510Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:11.471{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BBDF8881CF57B867C863D345D8B7B3,SHA256=1262301FDC52ABDE26573715F2A8DF7A55F881B56CCB2D0C28A6CE6860A80B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:11.273{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9271964F29DAA47F54442704BB1CE5,SHA256=7D04159C90A000555B4926F03E7BFA07B589850CFB5D5E338779F47A418CE818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260512Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:12.487{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C233679E76B047D53FB03E495F714453,SHA256=D0FEE9A2F243428F538E9CF0FB92E6A1EB507185D1CF2C31D8D85120C7E7CD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:12.274{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924CA8CB7EDA05775930F3C643AB80C1,SHA256=534766C753EC7C88E6E1B20EA749C4C71F4E5B0F0E3C379FAFEC56106749592A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260520Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:13.534{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B2DC7E8310C8CFE86E8EBF1BEA3C6C6,SHA256=2FF033FE7414DAD37EDED483F1CBB6A94E3429426C1D774141DECDB96EF739C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260519Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:13.487{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D64AA97EAE02301E35DFB9A022FFC0D,SHA256=E89F2108336D4C7729C5E0A4CBBCE8AA58AA49EF5524D251318A505602C2E908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:13.294{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D302DA4360D6EE1D9D163D1EE3696339,SHA256=9910D1B0409BFF8FB2E68E4139C86A3F918B8F6D187ED40CF365E8868E82038A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260518Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:11.656{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-10813-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260517Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:11.524{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-10673-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260516Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:10.557{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260515Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:10.194{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9351-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260514Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:10.117{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9273-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260513Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:10.085{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9233-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260523Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:14.971{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F770FE8EDE88C8424E78D4FD43784D5B,SHA256=5288AB6684B13721D580595D3242E72D7540160470CFB3542B394784A763AF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260522Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:14.487{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CFAD348E8896AEB1A4A1539E290CA2,SHA256=7B4F61DF9933547CD02EDE63AB505F38076A21B1965C8240EBFBE07F12A075D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:14.300{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318469A6E3DD745A1DEFAFC1D24FB077,SHA256=2537D01B6BB93C0B97FD0C7C5F0A080BE91B2285846408BD38E8F4203E463C02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260521Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:11.746{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-10931-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260526Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:15.502{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DC8B6BBF70B5C275ED489AEDE920D1,SHA256=5E29B9C75F1F3E1CBC2DB15B175F593B3F21841C5186855C0919BDF590DAED33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:15.301{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72A89F4B7D8F32FD90D68BF8D39BA8E,SHA256=D77102A215C973D2E2C7912B158270D53BCC497ED576C2DC2EBE28D52415C516,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260525Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:13.288{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12587-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260524Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:13.126{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12383-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260531Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:16.518{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5716CA29A42F282C6B2F70FB60E034,SHA256=AE69E08CC7F52FA622486AD5EB956BFF2D0A708904D93EE168AD3F72551BC2AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260530Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:14.643{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14003-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260529Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:14.611{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-13984-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260528Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:14.532{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-13868-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000298307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:13.491{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59235-false10.0.1.12-8000- 23542300x8000000000000000298306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:16.302{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC513BCE89FFC4EC3FF23FBA7A412E77,SHA256=70D6B59D94216E43C83114B8A023798AC3EED1FD85A9CDFF490C1781C8DFC993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260527Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:16.456{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB32707DF2DFDB8D05AB4034FEE02181,SHA256=ACCAF6E25DFA874E8FBE2BFAA15CD69EE4EF33E38F82E879334584CC2B0D9253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260532Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:17.534{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1903658F52E1ADF88FCE574D49379C19,SHA256=48C4F9E407F086CC5B6E4CD2D7C337138EFD43D48FF7F192E8DF0B5BEDBB009B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:17.304{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25EA3A7D00390662A77F2855DB108B9D,SHA256=2113E7D0EA76CB7DE111BD61147A41285DBCD8D9A058EB5649B1A65D889B70DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260539Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:16.215{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15658-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260538Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:16.092{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15515-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260537Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:16.029{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com52571-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260536Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:15.604{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260535Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:14.944{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14383-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260534Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:18.549{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFB1635B7EE86789B9537960BA0EA3B,SHA256=5E4271569CD54F3237D152B97867B336E0CFA1FE38A66C17B388C644548E3264,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:18.409{5097E253-8792-6149-A129-00000000FB01}43161460C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:18.305{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1051C2BAC8D8382F9009B816A4629194,SHA256=89E875CAE45758083656AD309BCDFF2F71C348C5AD8C2662C6EDA74BFD5C1A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260533Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:18.159{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67DC19ED5E0EF3CE7574A84F46163A7D,SHA256=36E34AB8549B314F25F27FA1212E5E3E21089583B9C01FA2D91ED5F3BAD9BAA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260543Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:16.382{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15830-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260542Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:16.301{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15741-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260541Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:19.674{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7FCCC9FE6BA6AE3BCD7B5B311DD4E09,SHA256=3BC1B1C6CDCF291EB4DE8364CBC3C61F66D5E4B07FB2776578E905598AB82FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260540Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:19.565{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AF1C0BB3FD2AEC8A8F6B3BC2695351,SHA256=8D325193D919160198CE73AAE7B629E16B1C1A43CACE8E60DB15EE5934B7DFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:19.307{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610C1A6C7AA86A4DFE61A6F8B1D32984,SHA256=F162363209617899DAE440F9A430AF5B176D66E586494DA32A2D6ACEADAD9EF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260559Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-927C-6149-3827-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260558Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260557Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260556Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260555Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260554Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260553Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260552Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260551Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260550Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260549Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-927C-6149-3827-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260548Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.846{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-927C-6149-3827-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260547Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.847{C189DCE5-927C-6149-3827-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260546Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.580{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB3406B3CFCFD0E030AD581B661769F,SHA256=D49F2CBB659E9743A92BEB9447B6A12F2BFEA4344FF844679F90F13E3D4FC63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:20.308{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767A3EE279F29223A3EB6202335AF4BE,SHA256=4480BBEF5F03A58D82E6B35700C99B9386058F0B214F8DD8FF67EACFD7DF8A41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260545Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:17.886{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17293-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260544Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:17.787{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17232-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260578Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.815{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200622EEA98E917EDF757B5290764A5D,SHA256=B1CEDB06C3D12D8BC731F6D3937B4449509C77F5C985CDE0022B11474679C684,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260577Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.674{C189DCE5-927D-6149-3927-00000000FC01}23722392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000298314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:19.400{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59236-false10.0.1.12-8000- 23542300x8000000000000000298313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:21.310{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292E5AE76787193470721109938D5470,SHA256=E976727DD16142A439F9E777E36C6BC43BA5971956F1036CF315271963ABD5C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260576Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-927D-6149-3927-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260575Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260574Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260573Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260572Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260571Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260570Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260569Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260568Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260567Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260566Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-927D-6149-3927-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260565Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.518{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-927D-6149-3927-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260564Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.519{C189DCE5-927D-6149-3927-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000260563Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:19.348{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18871-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260562Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:19.269{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18774-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260561Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.127{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=073CA3488571EE1E26E1E02D600AEF46,SHA256=627C79FE532948BA429B3FE688C70FFCB0838E671207C345B522096671E3CFD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260560Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.049{C189DCE5-927C-6149-3827-00000000FC01}2324912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260610Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-927E-6149-3B27-00000000FC01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260609Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260608Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260607Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260606Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260605Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260604Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260603Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260602Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260601Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260600Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-927E-6149-3B27-00000000FC01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260599Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-927E-6149-3B27-00000000FC01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260598Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.862{C189DCE5-927E-6149-3B27-00000000FC01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260597Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.705{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6847D729040AEC5FC0F521AE759E0C42,SHA256=21D84A905BDE36093CBF9329A043FB4E9611A80327E88BA8C1C8F6477E4B3B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:22.311{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA9E4D61233FEC103999C9AF21A8351,SHA256=297E57CB5F43BC39A49840CA2DED33DE2A36F76A29F7323539BC3A44B252927B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260596Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.612{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13AD48CFA26804DD25DFFFE6A750EF50,SHA256=C45C4AF1894D3E3650D41C2421BE4F580BACCF93FE72D8DE0C11B8155CAB6666,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260595Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.759{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20357-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260594Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.681{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20303-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260593Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:20.620{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50886-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260592Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:19.524{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-19016-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000260591Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-927E-6149-3A27-00000000FC01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260590Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260589Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260588Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260587Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260586Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260585Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260584Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260583Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260582Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260581Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-927E-6149-3A27-00000000FC01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260580Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.190{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-927E-6149-3A27-00000000FC01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260579Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.191{C189DCE5-927E-6149-3A27-00000000FC01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260611Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:23.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0948E279CE343DC1A0144DD61F6C7402,SHA256=83713F988801B474DEA5A4F8E10DF3382A24941DC39265B0FFB8B0A07A076325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:23.312{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A871F0FB7F15FD3B08EA18053F2784,SHA256=F52574697072E43B37D858BF9E5BF6463A9B7766C1C090BB49334BC747DA99F1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000298318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:06:23.008{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000298317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:06:23.006{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Config SourceDWORD (0x00000001) 13241300x8000000000000000298316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:06:23.006{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_613C4DCD-0611-4E95-B870-A6B03FE07762.XML 23542300x8000000000000000260628Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.751{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAF74FF36ACAD6350C049B2B56C0880,SHA256=4D22624D81EDDC3493E9357800BB9FAA5E1D4C4BF6C89AFA67F255852511D4DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260627Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.751{C189DCE5-9280-6149-3C27-00000000FC01}2960492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000298326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:22.331{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59239-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000298325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:22.331{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59239-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 23542300x8000000000000000298324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:24.313{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCD0FC1851DD8641C3F875662EA42D6,SHA256=57D0954961B9F98837CF54D3077BE7B365CF45939B62117F187630798629F69A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260626Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:21.048{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20539-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000260625Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9280-6149-3C27-00000000FC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260624Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260623Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260622Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260621Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260620Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260619Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260618Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260617Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260616Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260615Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9280-6149-3C27-00000000FC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260614Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9280-6149-3C27-00000000FC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260613Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.611{C189DCE5-9280-6149-3C27-00000000FC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260612Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.064{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B200BB166CE25A46D287ADEE480BD8C,SHA256=E905BB423142B4B7CF9BE062B8D7D3FB3B0E4EBAF0B086476E29ED7621C06A2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:22.325{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59238-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000298322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:22.325{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59238-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000298321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:22.312{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59237-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000298320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:22.312{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59237-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 23542300x8000000000000000260652Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.861{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6BECE0AE96AFC67FBDD9C826457A52,SHA256=23D100E241A8A91E37E23A8E0B9EE953D9812F1EC13BDF901E0E462788E48A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:25.315{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8490D7963079EEB23DB20A6D3E16A7BF,SHA256=3E4503E5C450E88F0A2A1B158CEA55E7ACB72E3CF3ACA8497D8719DB2F337636,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260651Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:23.875{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23570-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260650Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:23.788{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23488-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260649Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:23.710{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23376-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260648Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.754{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22415-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260647Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.675{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22303-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260646Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.598{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22176-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260645Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.523{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22099-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260644Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:22.361{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-21882-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260643Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.642{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=513339132C5AA5A4DF0D50E6C4D307ED,SHA256=03031908AC8646889231306CEB97139B334CA5357842968B1632B8D733459647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260642Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.439{C189DCE5-9281-6149-3D27-00000000FC01}10282448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260641Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9281-6149-3D27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260640Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260639Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260638Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260637Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260636Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260635Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260634Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260633Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260632Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260631Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9281-6149-3D27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260630Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.236{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9281-6149-3D27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260629Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.237{C189DCE5-9281-6149-3D27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260667Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.861{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D26B6FFCC19ED508EA7AABDA5A90683,SHA256=085C55DE2F72B6C1BDF749A05D3FE7043BC2C9AECF1B8A1211642EC0CE9C3349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:26.316{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C78CF30D8352EA1885068C1076E08DD,SHA256=392BB5E12541FF96691929C6BEB522EE4AE5647137760D965228D63AC4E2457E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260666Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:24.336{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23889-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000260665Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9282-6149-3E27-00000000FC01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260664Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260663Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260662Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260661Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260660Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260659Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260658Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260657Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260656Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260655Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9282-6149-3E27-00000000FC01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260654Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9282-6149-3E27-00000000FC01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260653Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.564{C189DCE5-9282-6149-3E27-00000000FC01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260676Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:27.876{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D309BD5499738EA8851D87A99ED382,SHA256=21D7E2E43A22F38B9A0C38946C9A25302F490BAB599930C19B9CF2427B1D6479,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:25.355{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59240-false10.0.1.12-8000- 23542300x8000000000000000298329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:27.317{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3778DF55BAD1ED5BFA45454308521F1,SHA256=936E95F93A789B817673121AE60D76CAEC62C30C0859F32DAFB588526D4C7FAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260675Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.914{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25779-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260674Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.837{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25685-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260673Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.797{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu51464-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260672Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.759{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25590-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260671Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.682{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25460-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260670Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.634{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50887-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260669Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.531{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25167-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260668Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:27.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7197B28CADBC171E63665FB0D14C9AA2,SHA256=142730030FDDBCB6B0DC822BDAF3FC2F7E3A3A26B470FD624A504368644FD849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260681Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:28.954{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80C617044F68358DAAE5FD1ABC7054B6,SHA256=8353076BA011797AE55F00E9EBD3D6D78298D5E782ADF135B1D4B80D1139AE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260680Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:28.907{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF166CAA56A26878C93F7D7D4A0C362,SHA256=C29FAF1B2B049F94E0281A066EA3D1C18247C0F59E4812D63DDA8739BF97A53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:28.627{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4E4FE13BCF16239E9F6F5E1B5EB7EE17,SHA256=07853C4416F9D1D68E8FC68115948C8D9CD4FB08121C0B5F88571151777C67AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:28.335{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240CC35E2B95031E794BEDEAD89E662E,SHA256=CAA8DD6C44D2D170AD8D8EF7721352274F12A33A8E8BD5BB8E20AE1E8842EB75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260679Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.975{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26726-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260678Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:26.898{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26638-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260677Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:25.994{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25818-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260687Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:29.939{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA73BBA1B136633D86FD4714B440BB27,SHA256=01B43DBB6CF57C451A950BAF0613073F724E40D1F0F58A3E390EB108EC0FD69B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:29.343{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5D3994911D7A6C4F1C90EAE23E24B4,SHA256=A2EC7787C29C9154F4DEB1626232732927CFFB98E6C3102FFD5AA01ED113C377,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260686Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:27.703{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse106.245.140.119-61243-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260685Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:27.553{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27411-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260684Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:27.475{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27334-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260683Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:27.132{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26927-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260682Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:27.052{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26821-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260689Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:30.954{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE15A770C0644BB0CB00DC56E4371A20,SHA256=A2C8DEE7B08461AC9AFD526E74A4BECC0AAB851AE414DC6190C73F2687BEFF4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:30.403{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:30.403{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:30.403{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x8000000000000000298336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:30.393{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:30.393{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:30.349{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF32F7D648AA78E782E4BE80E2F207D1,SHA256=2A7BD92B93EC366CDFA936DEE5C835C84292BB51FED445BF0755F3C046AC0A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260688Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:30.626{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06424C5D919543AD5B499BAA0F09AF3C,SHA256=E359F5B891F728285ABDDF4E3DEC70B28259DE11E24AFF03C6C94248046C19E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260696Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:31.986{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=070834FECEDE5743433A52F89F2C9004,SHA256=3B46205A1B42FC423DB6C6A414ACEEAFF57DC6B7F3E0732C9D221E447EA76A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260695Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:31.970{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959656ED689E829152C7EF7EC4326015,SHA256=7D0C4EDD9049980BEEF9BF8ECED0D81A404CCD5C23C110DF23F302AAEA40FF9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:29.008{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56746- 23542300x8000000000000000298341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:31.349{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756982175B578928E71BD9EF5AD4C2B0,SHA256=A8DB669F84B5AB57C52EE2FCEE8BC8BC99F03B13413CBC8C00DF73D21B7D8F9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260694Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:29.396{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-917.attackrange.local56746-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x8000000000000000260693Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:29.150{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c840:56b4:9bd:ffff-56746-truea00:10e:0:415f:415e:5f5e:5dc3:cccc-53domain 354300x8000000000000000260692Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:29.119{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29072-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260691Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:29.036{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28859-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260690Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:28.729{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28450-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000298340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:31.157{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-8791-6149-9F29-00000000FB01}4148C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000298344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:30.372{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59241-false10.0.1.12-8000- 23542300x8000000000000000298343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:32.369{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8385E2393E15DFD6116C599BEA1042F,SHA256=25D88D2D628B0EB1F611E26ED9A6A45EDD816CCABE9CE4BC9E34F84F19652B76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260697Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:30.177{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29915-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:33.395{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C501332332F9302602E637389EBCB808,SHA256=0F4A802EC64D469F50EDE538CE9A8B08FB8D0333249E9D6443F008874BDB102C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260702Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:31.617{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31426-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260701Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:31.081{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-30833-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260700Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:30.697{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50888-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000260699Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:33.501{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ACF7732227B2F73C63790E5C26A7D82,SHA256=CA078E0ED6CFEB635035AC76EE67D3A233F77C443FF58DC453D3C328025ED0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260698Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:33.001{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE74C0561144BCC28B78D0C602D1A5C3,SHA256=8F061200476C0DFCCFCE34F12AAF8A2F7DCC139C31C8DE84A117C6490EFFE97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:34.494{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FAD1D1464110F36273BEA391E1C933,SHA256=CCD296DFD1B9149E6CFF623A6287AE169F8EAC88A66051959312CEF2A1A545CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260703Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:34.001{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8C4754F5F669E761A6373C5F0A89EA,SHA256=61840B9FFC0E8DE05F605F4C87448E1DB285AA0BB03502CA44663A54A41D1F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:35.510{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53072046C19AF92AB199FD145F1F6770,SHA256=D062F2523B1F41118A5DDF6D2BE7DB2DB061A4C4CF7C0D41120C7C06AF96E9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260709Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:35.079{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=672F6EB44B5AC41D29CC0D7114DF19E9,SHA256=8787CF308B9C7A9E648A72F7489386F1675D549F1362B9D169DFCFEB323B88FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260708Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:35.032{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E602B131CE330750A0382F0C19971C,SHA256=B46E7B307258CF65F9C3468FF70B609CFAB71D5C68A829295A7087103DB75FDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260707Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:33.195{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33040-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260706Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:33.107{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33006-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260705Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:32.443{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32368-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260704Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:31.698{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31552-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:36.529{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0312CA3487F91DDE9C4EFC18FA149A9,SHA256=0D9192DE72E19CB85F4BCBF03767174BB5645BE55543947E0104A9FB9F9181E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260714Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:36.517{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BBA7341309CB7C7DC58D222B3146056,SHA256=AA4C390805CA98E0CBF520AB8060A4A51BD3247B0EB0121A8A6FE86BE3665838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260713Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:36.314{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260712Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:36.064{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879FA275FD41D1CCA4BEE2448AA3C98B,SHA256=B1A0D9370C6647A41DC87480E04F340B322733F1549CB69FDBEBE1C02F2E0B71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260711Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:33.929{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33863-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260710Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:33.274{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33230-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:36.429{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:35.727{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59243-false10.0.1.12-8089- 354300x8000000000000000298356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:35.561{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59242-false10.0.1.12-8000- 23542300x8000000000000000298355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:37.675{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=8E0CC8657D4562F4D918D1E9B57B7B40,SHA256=5EDDC635120E9D81FA5F4339CB4D614F429FC5DE5325872363FB42184477D4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:37.675{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=15CFB90178BC2A229188E432CD5FAD7A,SHA256=5FEF80412C0AD323CCAC120A65C570A9F6D009465ECFBCFA7445AAA70B05E6D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:37.675{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=83816BC7CC98CF4F8E73D0BF1B3F7E91,SHA256=7129BA678B9DC28FE2E8352C4730674A4597B59EBD98FF889AA02029E313996E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:37.675{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=1465974479DBDE1119951E00C56028BC,SHA256=DA0C39CB88667F4BB62524CFD3089D43006C084522BAD1E0146AD68DF82592B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:37.675{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=12B2707ABF011E74FAD1B7BD0DEAFFC7,SHA256=EEC65DFC1D2202450328D94AFF617A6029E46DFA5E659A84DB175E30153DE4CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:37.543{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47DF5A32B2819E35E21CB7C9D36EA0F,SHA256=45B22A21A9EEBB7DF96BD56E5F9B6EA06A65C8570366C5AF856EC4E848E9430E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260716Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:34.702{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34638-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260715Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:37.064{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0627C7A02A3055E7BFE8B70858241541,SHA256=CF4A905C9E06E3C0E1E3204DF476B23C62A5147E62E5F1CAE3B2211EA9667C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:38.727{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9832441A512F27D03177739783ABEBCF,SHA256=605FAA74E6A3F382A1FDAB5C9BC02798DC8FC5D8E37F7248A5A20AE319D11CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:38.727{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B233263FD47671DC63D89CF6911792B,SHA256=C39298A47891AB3EAEA4BE846A4ABE38A2966B810B7F3CF552CEC425A23D487C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:38.558{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF5F235176C9B4CD899CE2E5FED81B5,SHA256=05901542511C5FA4EF067AFA4974007112B42E641AEF1A607E61C881F4E72798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260722Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:38.142{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=312DE07C18CB4AF9F5817B83E54712EC,SHA256=A24ACA4E328300C20587AF81E6C60FD3609C7F2975B702C94C24D2F9BE1CFBAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260721Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:36.234{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36347-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260720Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:36.142{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36231-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260719Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:35.775{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50889-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000260718Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:35.289{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35372-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260717Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:38.111{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5738DD289398A187BA48B1200573095F,SHA256=9572913D634490C1457845E0712CDE3C69624F9DB0EB1A00208541AC6CEC6788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.810{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\permissions.sqlite-journalMD5=511AA103C2DE9A2FAC1EC23F9DB01F15,SHA256=46C41C5169DB11D334AE37A0C04F90728DEA07E6C054B4BE5D551D49893652DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.573{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16321FB8687F9EA399F43A0F2958F80B,SHA256=28107678E18A1F320A56E613CF83A6E530447F27F3ACE54B4D7022B8C140A4E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260727Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:39.642{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D2BFDD9AA2C63D345886C8805225CBC,SHA256=17858342467ED1C7C2EF82B89D286A7A9BEBB82ADA834EE0F3DB5D684626C1C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260726Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:36.730{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36803-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260725Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:36.556{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50890-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260724Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:36.311{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36430-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260723Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:39.111{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9CD3869CEF1D4BDCA58244CDD40741,SHA256=F40F8D910D6EC8C57D2F018D597A32402F54ECC2EF5B02D88C46E6F2B0205FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.375{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1373MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.139{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local49332-false142.250.186.100fra24s06-in-f4.1e100.net443https 354300x8000000000000000298411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.136{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49331- 354300x8000000000000000298410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.136{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59482- 22542200x8000000000000000298409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.193{5097E253-9226-6149-A12B-00000000FB01}4420e9398.g.akamaiedge.net0104.111.237.251;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.193{5097E253-9226-6149-A12B-00000000FB01}4420mem.gfx.ms0type: 5 amcdnmsftuswe.azureedge.net;type: 5 amcdnmsftuswe.afd.azureedge.net;type: 5 firstparty-azurefd-prod.trafficmanager.net;type: 5 dual.part-0017.t-0009.t-msedge.net;type: 5 part-0017.t-0009.t-msedge.net;::ffff:13.107.213.45;::ffff:13.107.246.45;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.172{5097E253-9226-6149-A12B-00000000FB01}4420e584.g.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.171{5097E253-9226-6149-A12B-00000000FB01}4420cs22.wpc.v0cdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.171{5097E253-9226-6149-A12B-00000000FB01}4420e584.g.akamaiedge.net095.100.208.36;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.170{5097E253-9226-6149-A12B-00000000FB01}4420a1449.dscg2.akamai.net02a02:26f0:1700:3::5f65:1ba2;2a02:26f0:1700:3::5f65:1b8d;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.170{5097E253-9226-6149-A12B-00000000FB01}4420part-0017.t-0009.t-msedge.net02620:1ec:46::45;2620:1ec:bdf::45;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.170{5097E253-9226-6149-A12B-00000000FB01}4420cs22.wpc.v0cdn.net0152.199.19.160;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.169{5097E253-9226-6149-A12B-00000000FB01}4420part-0017.t-0009.t-msedge.net013.107.213.45;13.107.246.45;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.168{5097E253-9226-6149-A12B-00000000FB01}4420support.content.office.net0type: 5 support.content.office.net.edgekey.net;type: 5 e584.g.akamaiedge.net;::ffff:95.100.208.36;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.168{5097E253-9226-6149-A12B-00000000FB01}4420az725175.vo.msecnd.net0type: 5 cs22.wpc.v0cdn.net;::ffff:152.199.19.160;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.168{5097E253-9226-6149-A12B-00000000FB01}4420a1449.dscg2.akamai.net02.18.213.74;2.18.213.56;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.168{5097E253-9226-6149-A12B-00000000FB01}4420a1835.g2.akamai.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.167{5097E253-9226-6149-A12B-00000000FB01}4420js.monitor.azure.com0type: 5 aijscdn2.azureedge.net;type: 5 aijscdn2.afd.azureedge.net;type: 5 firstparty-azurefd-prod.trafficmanager.net;type: 5 dual.part-0017.t-0009.t-msedge.net;type: 5 part-0017.t-0009.t-msedge.net;::ffff:13.107.246.45;::ffff:13.107.213.45;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.166{5097E253-9226-6149-A12B-00000000FB01}4420e13678.dscb.akamaiedge.net02a02:26f0:1700:1b8::356e;2a02:26f0:1700:1b3::356e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.164{5097E253-9226-6149-A12B-00000000FB01}4420img-prod-cms-rt-microsoft-com.akamaized.net0type: 5 a1449.dscg2.akamai.net;::ffff:2.18.213.56;::ffff:2.18.213.74;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.163{5097E253-9226-6149-A12B-00000000FB01}4420a1835.g2.akamai.net02.18.213.35;2.18.213.40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.163{5097E253-9226-6149-A12B-00000000FB01}4420e13678.dscb.akamaiedge.net095.100.210.141;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.162{5097E253-9226-6149-A12B-00000000FB01}4420statics-marketingsites-neu-ms-com.akamaized.net0type: 5 a1835.g2.akamai.net;::ffff:2.18.213.40;::ffff:2.18.213.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.934{5097E253-9226-6149-A12B-00000000FB01}4420e3843.g.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.926{5097E253-9226-6149-A12B-00000000FB01}4420e3843.g.akamaiedge.net095.100.208.204;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.812{5097E253-9226-6149-A12B-00000000FB01}4420www.google.com0142.250.186.100;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.812{5097E253-9226-6149-A12B-00000000FB01}4420www.google.com0::ffff:142.250.186.100;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.811{5097E253-9226-6149-A12B-00000000FB01}4420gstaticadssl.l.google.com02a00:1450:4001:830::2003;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000298385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.820{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9832441A512F27D03177739783ABEBCF,SHA256=605FAA74E6A3F382A1FDAB5C9BC02798DC8FC5D8E37F7248A5A20AE319D11CB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.818{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.813{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.809{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.581{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41497D3FB71B471FC90C9A5814F7585,SHA256=7B27DC56E4E5BC405CBA4841D71B09C5787D14AB0BFAD57894BC95E3EDD968D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260732Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:38.208{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38218-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260731Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:37.854{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37921-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260730Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:37.777{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37857-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260729Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:37.701{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37738-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260728Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:40.126{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82685FFA50F48A7BC4DA5AD5D0E30365,SHA256=7B52A03C1E5A0823565FE6CE70720F829502E6FEC15AAF1917CBB1C0AF0F4A0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.570{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+27c138b|C:\Program Files\Mozilla Firefox\xul.dll+27b4476|C:\Program Files\Mozilla Firefox\xul.dll+bfe10a|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3 10341000x8000000000000000298379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.558{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.558{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.558{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.558{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.557{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.557{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.557{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.500{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.500{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.500{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.433{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.414{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.414{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.413{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.413{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.375{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1374MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:41.899{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC4A0FBB2E04413EC04D9D7475546DE,SHA256=E2750E72BE6626B05E61F65B92AE7E06FBD7B45A7419FA316577EDD6443E64FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.150{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52357- 354300x8000000000000000298469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.150{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59264-false20.190.159.138-443https 354300x8000000000000000298468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.150{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53054- 354300x8000000000000000298467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.150{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53661- 354300x8000000000000000298466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.150{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59469- 354300x8000000000000000298465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.150{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61892- 354300x8000000000000000298464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.149{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50791- 354300x8000000000000000298463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.149{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59667- 354300x8000000000000000298462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.149{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61608- 354300x8000000000000000298461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.129{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59716- 354300x8000000000000000298460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.125{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53848- 354300x8000000000000000298459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.042{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59263-false13.107.213.45-443https 354300x8000000000000000298458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.851{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59262-false40.126.31.141-443https 354300x8000000000000000298457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.830{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53556- 354300x8000000000000000298456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.829{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51499- 354300x8000000000000000298455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.806{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59261-false40.77.226.250-443https 354300x8000000000000000298454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.783{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53728- 354300x8000000000000000298453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.780{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53339- 23542300x8000000000000000260734Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:41.142{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDF4591AACE536A0788A467ACABF6E6,SHA256=79447F09CEA85CD6F248FA02C37B701A3805928039F7BA760C526211EDAEEECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.655{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local64989-false104.16.18.94-443https 354300x8000000000000000298451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.540{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59260-false13.107.213.45-443https 354300x8000000000000000298450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.539{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59259-false104.111.237.251a104-111-237-251.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.522{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59257-false13.107.246.45-443https 354300x8000000000000000298448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.522{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59256-false13.107.246.45-443https 354300x8000000000000000298447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.522{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59258-false95.100.210.141a95-100-210-141.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.519{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64988- 354300x8000000000000000298445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.519{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52012- 354300x8000000000000000298444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.518{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59253-false104.16.18.94-443https 354300x8000000000000000298443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.518{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59255-false95.100.208.36a95-100-208-36.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.518{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59254-false152.199.19.160-443https 354300x8000000000000000298441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.518{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59252-false2.18.213.56a2-18-213-56.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.517{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64172- 354300x8000000000000000298439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.509{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59251-false2.18.213.40a2-18-213-40.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.509{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59250-false95.100.210.141a95-100-210-141.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.503{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59249-false95.100.208.204a95-100-208-204.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.496{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60188- 354300x8000000000000000298435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.496{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60254- 354300x8000000000000000298434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.496{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62995- 354300x8000000000000000298433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.496{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59428- 354300x8000000000000000298432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.495{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62605- 354300x8000000000000000298431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.494{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52499- 354300x8000000000000000298430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.494{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51212- 354300x8000000000000000298429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.493{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58873- 354300x8000000000000000298428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.492{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64172- 354300x8000000000000000298427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.491{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63139- 354300x8000000000000000298426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.490{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51488- 354300x8000000000000000298425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.489{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52255- 354300x8000000000000000298424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.489{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51003- 354300x8000000000000000298423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.489{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64877- 354300x8000000000000000298422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.485{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51145- 354300x8000000000000000298421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.483{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59248-false95.100.208.204a95-100-208-204.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.482{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59099- 354300x8000000000000000298419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.481{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59247-false95.100.208.204a95-100-208-204.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.481{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59246-false95.100.208.204a95-100-208-204.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.480{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59245-false95.100.208.204a95-100-208-204.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.252{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59244-false95.100.208.204a95-100-208-204.deploy.static.akamaitechnologies.com443https 354300x8000000000000000298415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.252{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51017- 354300x8000000000000000298414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.251{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61441- 354300x8000000000000000298413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:39.245{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61792- 23542300x8000000000000000260733Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:41.126{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0480EAE223E99718FCE28C3D4C406D5,SHA256=67150443E65A18D213F8638235673A57619A3CB4F0D0E2E098CF5B0A39682D32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.819{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64831- 354300x8000000000000000298479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.794{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64831- 354300x8000000000000000298478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.249{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59268-false40.77.226.250-443https 354300x8000000000000000298477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.248{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59266-false40.77.226.250-443https 354300x8000000000000000298476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.248{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59267-false40.77.226.250-443https 354300x8000000000000000298475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.246{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59265-false40.77.226.250-443https 354300x8000000000000000298474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.175{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50791- 23542300x8000000000000000298473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:42.641{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CFC03CF9C405ABF9567C3F8E4CC381,SHA256=C0FD787DF47F4AD3A02C512E9A3BE4E4A5AEDB5CAE6D6977B24E9FBD55E7AF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260737Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:42.642{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E72ABBD672289CD4E701E34BE4795A7D,SHA256=22CB2D51BB0627CA00F88DCEEA1FC2DE31AE2658DB70A424ED46468D30379566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260736Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:42.142{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915F9AA9921E8BDF45265D1D5F8924E7,SHA256=3A15DAE453B1D98ECF37178D4614347F4F55E0488464A8AE80F36B2C17120402,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000298472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.197{5097E253-9226-6149-A12B-00000000FB01}4420e9398.g.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000260735Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:39.249{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39469-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:43.943{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=834CC07911270A825597C0B2C3A31C7E,SHA256=0D05F3ABB0D80EEBEC95110A560B8677614B3A93EAE12FB0B83A077B4ECB86AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:41.393{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59270-false10.0.1.12-8000- 354300x8000000000000000298484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:40.937{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59269-false13.89.179.8-443https 23542300x8000000000000000298483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:43.651{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAFC062FCC05E9D873112E8ECEA3548,SHA256=CF0F0B43DFC7E57DD8807DEB108FE500A91F12C420CCA2128EC9BF89117828F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260742Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:43.157{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92042AFAAD6B325FF9464C08B4388D79,SHA256=26F3EA15EFD8C5581ADCC43052591F1F98878160DB33DC2D73CE52216C9FC31F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000298482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:41.520{5097E253-9226-6149-A12B-00000000FB01}4420onedscolprdcus06.centralus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:41.495{5097E253-9226-6149-A12B-00000000FB01}4420onedscolprdcus06.centralus.cloudapp.azure.com013.89.179.8;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000260741Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:40.862{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41021-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260740Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:40.784{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40941-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260739Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:40.703{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40845-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260738Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:39.669{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39842-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:44.829{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=62F1B55F0C7A8A67BCED5E877AA8EE81,SHA256=18E16BD585990871A80AF2FC3D7AAF446559A07884284930231436D05286098C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:44.828{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=2B9BCE5EF1BDA71CA1A51FDA17EEB750,SHA256=D159074D0FB9CBCF130D3213C859BA822021973528D4DCD76742F3B36EDB46D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:44.827{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=6145B52E04A749D6DF446A9EFB931E6A,SHA256=41552CE5D564A1D091725DEAB774810309710A1D6F474F2DC0EF5E7B649AAA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:44.825{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=595359B249E30D0D9D0C1D432C184DB8,SHA256=B981CBA5850692B3D528CE2CAB6BDCCB17366925B6CBD8F2801802D7752E788C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:44.824{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=21EA1DFE5559FC9210B16E5679250653,SHA256=F386CFBE9224FC9D263BA5A8742A2044CAF8A214035BD26F6E50456A2B4E8CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:44.746{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C20632B62A7F24BD16B68B6F3C606E,SHA256=A37B573EA196704EE50E9B46EAF9EBA717098F3F4DA7CF5BC8D9B6B2A8CA2388,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260748Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:42.372{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42660-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260747Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:42.293{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42580-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260746Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:42.215{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42481-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260745Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:41.304{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41359-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260744Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:44.266{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B326D3F6BE6D6CC79D3D84DEF18BEE,SHA256=A0E8C9AEF83F1427AA0A91064588BDF9BF1AD8A8391FCD815CBA129616E26B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260743Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:44.204{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771B8BC5EA30B7E1822A1EF7498F8B5B,SHA256=C4C55092E9E54308C11A4F4A03FAA0F9FC3451B5E89A2FAFE4D4987761430AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:45.979{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8078B4FDCDC353380023DB6AB650162A,SHA256=79AFD3179F46EF297A36F20642B2C0035F366FD2488B92CEAFCA94C09EBCAEAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:45.749{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DF12A6CF472C2172629A9258ECCCD2,SHA256=CA1FA315B51220C20710C6E64E2DFC6B242A019EA6FB8D6151A6D52CBAE4FFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260753Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:45.750{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=810A1F64D8612F5CFB314AB429FE2A0B,SHA256=3210283C9DA91913D806C12206FFEAE0EA4CEC904CEB4117104AD22FFE6192E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260752Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:42.719{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43001-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260751Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:42.540{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50891-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260750Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:42.451{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42757-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260749Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:45.235{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C254850AE47CE0A787C95F161D5C6356,SHA256=FB4CA2B646BA84F0ED53B8510FAF4EA7BC4A172627F7388EE85AD232EBB439DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260758Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:46.519{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1365MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260757Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:46.297{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0CE80D17AA8BFE00F231A189A19866C,SHA256=0F1D211656A76727D569D8CCC1E31F9D1EE5C78E283A3B3A2D59FC3A651EB52F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.250{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9296-6149-BB2B-00000000FB01}7596C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.250{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9296-6149-BB2B-00000000FB01}7596C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.248{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9296-6149-BB2B-00000000FB01}7596C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.238{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9296-6149-BB2B-00000000FB01}7596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.234{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9296-6149-BB2B-00000000FB01}7596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.234{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9296-6149-BB2B-00000000FB01}7596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.216{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000298520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.216{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000298519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.215{5097E253-8792-6149-AA29-00000000FB01}4816720C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.215{5097E253-8792-6149-AA29-00000000FB01}4816720C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.215{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.215{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.203{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.202{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.196{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.192{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000298511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.192{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000298510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.190{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000298509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.190{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000298508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.184{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.184{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.184{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.184{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.184{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.184{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.182{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.182{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.182{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.182{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.182{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.180{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.178{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000298495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:43.153{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50927- 354300x8000000000000000260756Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:44.178{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44431-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260755Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:43.991{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44257-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260754Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:43.907{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44113-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260764Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:47.518{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1366MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260763Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:47.313{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98828A197C73520124457BBCB1225330,SHA256=7BFFF0658FF60B2386FFEC42803685FD2A58F349A814856470B5256C01A562A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:47.006{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56A23720F25E366AC78AE625678E475,SHA256=DA5BC17248371515D9CB1ECBC7BEA6F5D5DF1C1EF4D1D678982FB450F04B3347,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260762Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:45.384{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45742-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260761Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:45.305{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45637-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260760Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:44.256{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44505-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260759Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:47.188{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=082181134B95A38150FF97ADBD55A3CF,SHA256=A52AA700E7AAC7D26C27B24863019B716973873B88D850813CCC3EE863AD3BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260767Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:48.705{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C1A1208BDB2126FD3C9B2D9493A917C,SHA256=7D6C11414C358C67C9E0BE683E2F412E494E102AB38AC64D73F201171406863A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260766Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:48.315{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27EE9F78AF49160CEC68AFACB51EEDB1,SHA256=95E9546A5F96AFC8C09E28D73E571C46BC10958CF6AF74243A0F521D83BDB41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:48.009{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5EC84ACB2B9F6E4DBAEB223CDE13E88,SHA256=DADB744F87FDF3D6D6AEC1E1AAB4CC928090E8B41A65A957B7F3D068E6EF9562,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260765Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:45.675{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45980-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260769Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:49.330{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D13D24C4C1A7B5145985ABE8BBB267,SHA256=2489E08C803E43FECD9E8F1D4C69B7CA6B003B13939BA3BE1357C91E5DEB2BAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.756{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000298578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.756{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000298577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.754{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000298576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.754{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000298575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.754{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.754{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.752{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.752{5097E253-8792-6149-AA29-00000000FB01}48166580C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.752{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.750{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.748{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.744{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.163{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000298531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:46.530{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59271-false10.0.1.12-8000- 23542300x8000000000000000298530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:49.014{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302612C7F60C3299F8A9012CC768F86B,SHA256=D4488CA7CDEA534BABC1F1995610B70BE962967A94985D35FB7B4158033AE943,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260768Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:45.752{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46126-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260779Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:48.542{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50892-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260778Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:48.521{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48928-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260777Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:48.430{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48876-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260776Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:48.352{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48803-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260775Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:48.273{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48711-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260774Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:47.321{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47679-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260773Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:47.243{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47604-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260772Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:46.931{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47186-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260771Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:50.346{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22CF2FE00309818A21EE5F8C5A1537E2,SHA256=76A411E77DDC7FE918B85504DD92363CC4FD46ACC7B5A665E1AE7688A4903F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260770Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:50.346{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3896EBF953DE9B55F329238C83F255,SHA256=19F1941589D7A91E43C9A38EFF3644A628C3BF779F1A2B378458336774A1FE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:50.078{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A07AE8D343DF05BFC6FA913CE53D6D4,SHA256=0E0BF008733D39A78516D56FDEC1DD3001BDF27CA00E542A373CAD9C479D81BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:50.072{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20013358925A98223A70513AF0A2B5B3,SHA256=FA8340F8480833BCF5255BE73D51443CA23A646A8B3C3248478374373119F4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260784Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:51.815{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B2CA0E99A1478BD3FC3C5F02DB5A20E,SHA256=3CEA1C63FC0E6D221ED201338513D901A38D324EDB7F75AA83DC58A1B2DBF80A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260783Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:48.908{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49286-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260782Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:48.812{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49222-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000260781Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:48.725{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49192-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260780Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:51.362{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EDD77DE8CAE675BA9B8C7665C47E21,SHA256=1B2AEDB92DFAB3CE18C52C80A1BEB418CDA31CDCBDB30FEC2BD9B986BD833165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:51.081{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01EB57575EE891D7202272A5DCE2EAF9,SHA256=1C57AC1155B389A3AA8109D0E492CF70020BBBB0C9D01B4D97EF2DB6A7668566,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260786Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:49.975{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50457-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260785Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:52.393{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B02A3D7C1A9A93AD37738D42EA3F254,SHA256=4CA3DA58F8CA4F2911F8CD3E3C188050FAC2ED7E8FD09771ADF4B0A6F1FA222A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.788{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE14A02613CE9F1E21F3A4C9420C7F0D,SHA256=1BFEAD6AD3AD4D925B949E4F1EB122EB04EF87DFC4E0F392DF12B6022BFFA67A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.776{5097E253-929C-6149-BC2B-00000000FB01}57725344C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000298675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.774{5097E253-929C-6149-BC2B-00000000FB01}57725344C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000298674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.774{5097E253-929C-6149-BC2B-00000000FB01}57725344C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f 10341000x8000000000000000298673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.774{5097E253-929C-6149-BC2B-00000000FB01}57725344C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376 10341000x8000000000000000298672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.774{5097E253-929C-6149-BC2B-00000000FB01}57725344C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+139d2e|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376 10341000x8000000000000000298671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.774{5097E253-929C-6149-BC2B-00000000FB01}57725344C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+139d1c|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f 10341000x8000000000000000298670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.774{5097E253-929C-6149-BC2B-00000000FB01}57725344C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+139d1c|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376 23542300x8000000000000000298669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.774{5097E253-929C-6149-BC2B-00000000FB01}5772ATTACKRANGE\AdministratorC:\Windows\ImmersiveControlPanel\SystemSettings.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms~RF50a95c5.TMPMD5=4FCB2A3EE025E4A10D21E1B154873FE2,SHA256=90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.772{5097E253-923D-6149-AD2B-00000000FB01}47487052C:\Windows\system32\ApplicationFrameHost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1bb3c|C:\Windows\System32\ApplicationFrame.dll+12a22|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.770{5097E253-923D-6149-AD2B-00000000FB01}47487052C:\Windows\system32\ApplicationFrameHost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1c874|C:\Windows\System32\ApplicationFrame.dll+100f4|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.770{5097E253-923D-6149-AD2B-00000000FB01}47487052C:\Windows\system32\ApplicationFrameHost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1a578|C:\Windows\System32\ApplicationFrame.dll+100e3|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.770{5097E253-923D-6149-AD2B-00000000FB01}47487052C:\Windows\system32\ApplicationFrameHost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1c76e|C:\Windows\System32\ApplicationFrame.dll+100d2|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.760{5097E253-923D-6149-AD2B-00000000FB01}47487052C:\Windows\system32\ApplicationFrameHost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1bb3c|C:\Windows\System32\ApplicationFrame.dll+100c1|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.758{5097E253-8792-6149-AA29-00000000FB01}48167328C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+f60f|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.758{5097E253-8792-6149-AA29-00000000FB01}48167328C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+f4cc|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.758{5097E253-923D-6149-AD2B-00000000FB01}47487052C:\Windows\system32\ApplicationFrameHost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1ca6f|C:\Windows\System32\ApplicationFrame.dll+100ae|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.758{5097E253-8792-6149-AA29-00000000FB01}48167328C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+f60f|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.758{5097E253-8792-6149-AA29-00000000FB01}48167328C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+f4cc|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.756{5097E253-923D-6149-AD2B-00000000FB01}47487052C:\Windows\system32\ApplicationFrameHost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1ad31|C:\Windows\System32\ApplicationFrame.dll+10096|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.752{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.748{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+679f|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.715{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.704{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.702{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+4a4e|C:\Windows\system32\activationmanager.dll+2109|C:\Windows\system32\activationmanager.dll+2c31|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000298652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.702{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+4a4e|C:\Windows\system32\activationmanager.dll+2109|C:\Windows\system32\activationmanager.dll+2c31|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000298651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.694{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.690{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.688{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.688{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.688{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.688{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.686{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.686{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.648{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EB5D15942B45EFEB04B5D8C438771E,SHA256=CAFDB4C42942334D1B0FBBCF8032B6CC124824D5314368487FA94C8DD2333EE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.603{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-929C-6149-BD2B-00000000FB01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.603{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.603{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.601{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.601{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.601{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.601{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.601{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-929C-6149-BD2B-00000000FB01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.599{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-929C-6149-BD2B-00000000FB01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.596{5097E253-929C-6149-BD2B-00000000FB01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.591{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.589{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000298630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.587{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.587{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.555{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.553{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.517{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.517{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.513{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.512{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.487{5097E253-8791-6149-A029-00000000FB01}41845360C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000298621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.487{5097E253-8791-6149-A029-00000000FB01}41845360C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37ebf|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000298620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.485{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000298619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.475{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.475{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.473{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.473{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.469{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.469{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.467{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000298612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.465{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000298611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.463{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.463{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.461{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.459{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.459{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.459{5097E253-8792-6149-AA29-00000000FB01}48165940C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.459{5097E253-8792-6149-AA29-00000000FB01}48165940C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.457{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000298603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.457{5097E253-8792-6149-A129-00000000FB01}43161460C:\Windows\system32\sihost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.457{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.457{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.455{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.455{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.455{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.455{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+47a1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.451{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe10.0.14393.82 (rs1_release.160805-1735)SettingsMicrosoft® Windows® Operating SystemMicrosoft CorporationSystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanelC:\Windows\ImmersiveControlPanel\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=A91F621A8A0DE91FAE53D3051303809B,SHA256=E768FF1F2F31178FE5930F261ACD4B19464ACC019FB0AA697D0B48686E59050C,IMPHASH=1812A9B9265AD93B24FA9FCBFAFBC4A6{5097E253-483C-6148-0C00-00000000FB01}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000298595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.443{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.443{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.429{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.429{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.427{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.427{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.422{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.421{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.419{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.419{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.389{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.389{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.089{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61F3E217D97246541DD5F53EDC7D063,SHA256=B8E810C4FDFE65D48AE62ED0053972CC9850E88A5BD1837F5A1F4F9646B55826,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260789Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:50.349{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50797-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260788Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:53.471{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF11604694F2709AF3A075757B805C0,SHA256=45BFF1F838C6A65184F22B098F06730B106DE0612E7457A8C4490EF6489BA3D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.961{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-929D-6149-BF2B-00000000FB01}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.959{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.959{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.959{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.959{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.959{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-929D-6149-BF2B-00000000FB01}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.957{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-929D-6149-BF2B-00000000FB01}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.953{5097E253-929D-6149-BF2B-00000000FB01}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.434{5097E253-929D-6149-BE2B-00000000FB01}81726572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.288{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-929D-6149-BE2B-00000000FB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.286{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.286{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.286{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.286{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.286{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-929D-6149-BE2B-00000000FB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.284{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-929D-6149-BE2B-00000000FB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.281{5097E253-929D-6149-BE2B-00000000FB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000298679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:50.732{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.14win-dc-966.attackrange.local3389ms-wbt-serverfalse146.88.240.4www.arbor-observatory.com36248- 23542300x8000000000000000298678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:53.100{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895519EFD7E4D8BECFD8FB448B9F2609,SHA256=C37CC1D9A7FCE69637775835987BE9327149F2D0519017193ED47ECCFB6D8961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260787Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:53.299{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0476681BAD60A8940C2A769B8C0135D,SHA256=35B196637877C7706CC4F5039564E0D0828695C4FEEB815E8869981F21EC98D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260792Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:54.799{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2834B0D3F51630CE8358DAE9F5EDC007,SHA256=9DDEB7AC6402EF4F6741EBB91863C93A4691152A9EF46A6EA12D8B0B3252206E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260791Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:51.367{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51872-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260790Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:54.487{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8134FD78B2D6A8747A9ADFE79E66FEB8,SHA256=3FA603E838B2D660D7E9418F022BA0848FE7AD1BD437A0B7FC56E554ACBF1A74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.783{5097E253-929E-6149-C02B-00000000FB01}32326728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.631{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-929E-6149-C02B-00000000FB01}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.629{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.629{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.629{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.629{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.629{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-929E-6149-C02B-00000000FB01}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.627{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-929E-6149-C02B-00000000FB01}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.624{5097E253-929E-6149-C02B-00000000FB01}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.110{5097E253-929D-6149-BF2B-00000000FB01}66848036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:54.110{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F820431E9EECFF3C79F8E9A4420936C,SHA256=C71AEAF59CE3CDE43397DFE869B2D309ACA712139B96A137B5DEFD2C435C719B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260795Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:53.651{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50893-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260794Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:52.897{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53501-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260793Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:55.502{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BB4567F05102FBC7D6F711C5FFA0C1,SHA256=0D4A297629E7EFD41F41091DFE39A39F5078197497467451645E8BD9B8B019BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.978{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-929F-6149-C22B-00000000FB01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.968{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-929F-6149-C22B-00000000FB01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.968{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.968{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.968{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.968{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.968{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-929F-6149-C22B-00000000FB01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.965{5097E253-929F-6149-C22B-00000000FB01}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.454{5097E253-929F-6149-C12B-00000000FB01}57046496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.304{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-929F-6149-C12B-00000000FB01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.302{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.302{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.302{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.302{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.302{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-929F-6149-C12B-00000000FB01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.302{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-929F-6149-C12B-00000000FB01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.297{5097E253-929F-6149-C12B-00000000FB01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.188{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.188{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.180{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.180{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.180{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.180{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.180{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.180{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.170{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.170{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.166{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.166{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.150{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.150{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000298729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:52.361{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59272-false10.0.1.12-8000- 10341000x8000000000000000298728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.148{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.148{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.142{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.142{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.138{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.138{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.134{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4690F76D1EEF99DA4037D9E034650B,SHA256=9ACAF7913D6C7F5FF1ADAE304CDDDA98E117F05E86A4BDE81C35405222A6D96B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.116{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.116{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.114{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.114{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.112{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.112{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.108{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.108{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.100{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.100{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.064{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.064{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.062{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.062{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:56.393{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FC61D4AA5FEDAE9991241B79E548D1,SHA256=EDD21BDBF2416D2C3FC3EFB1A24AA1BD874D9C9137A9C6E5F52866879D65A7C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:56.315{5097E253-8792-6149-AA29-00000000FB01}48163452C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A5CC7)|UNKNOWN(FFFFEA35CD4A0351)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000298764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:56.315{5097E253-8792-6149-AA29-00000000FB01}48163452C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A5CC7)|UNKNOWN(FFFFEA35CD4A0351)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:56.314{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF50aa3a0.TMPMD5=A97F032C5DFF9E687148B171DAB5F1AD,SHA256=4555BB2A4C3B77D98DCEEFDFEB896E782A90CE230ED35CA20D4EF5AC4232B432,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:56.309{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 10341000x8000000000000000298761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:56.307{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 23542300x8000000000000000260797Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:56.534{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3786AC85802444443BCB4B53AF592B,SHA256=E226E00FC2E640B19EFF82395650FBE90BD57AE51A6DFAFC071FBD089B704D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260796Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:56.252{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3754EA122BE81F89FED0ADCA77271FB4,SHA256=01F27F3E73FCC67306025625BC775BD240F545308E4D855A0F4BE97E26F97BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260800Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:57.659{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B84BE9DFC3D5C6913A55E668FC62E1C,SHA256=814791A9AD26E8F275C358B35CD0F6526099C8AF809C58DBBA336ACCEA363672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260799Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:57.549{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDD029E694BF13D7C2D49F0C6105442,SHA256=01716E18F5B23DD22991EB98B679496D9C32EAEE693463D039B83AC553A1FB6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.864{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.864{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.864{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.862{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.862{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.862{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.862{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.862{5097E253-8792-6149-A129-00000000FB01}43161460C:\Windows\system32\sihost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.730{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.730{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.730{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000298768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.730{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000298767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.544{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078F39788B9D70C038E6F7089630E1F4,SHA256=0953D5FB2D8F9361AF145658DE8AB5DCEC0450AAE04636C08DA88EA06C7B7996,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260798Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:54.352{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54988-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:58.950{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98E477BECDF26E83FE5A1E98BD2DE822,SHA256=A4086B9606032E70AAC0E8048FC30DFD8C9A1A5077028FD7C6E3399A4F00AE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:58.950{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59E665C305E8E8A66A5FD06AE9E77EAD,SHA256=D0E60FC4AD57BF67217DEABDAB774BB4213239D9965D347D291EF0CBF96D02A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:58.555{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C6D04B9373B63308F38F4D9176EA30,SHA256=53EC9A7288C421E0035D5C0A2C8EF7686FEA0C335D67BF692AF651162B0D2B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260802Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:58.549{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD40556FE154F2AF7F548D413184840,SHA256=C8FA6FFDD4F020DF98A4725E887DCE0FD05CAC9E9D9EA9E18CA5DCCCFEFFA6B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260801Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:55.825{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56578-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000298781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.855{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59273-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000298780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:55.855{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59273-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000298785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:59.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710EFE0E238AD66E512133EF7A164413,SHA256=6C6BBA124131EEB2D4305471F58AA49F6315128A0460FA09700E2243F2E5506C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260805Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:59.565{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC3034C7CAFBFE07FE0361500A5B052,SHA256=3615756A95BE04F2579FD5A2E5B82E5B137063A21695FD015ADFF1638A6E5121,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260804Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:57.339{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58055-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260803Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:59.112{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2794BF8B84FCA76A3FA974B4223BDCC5,SHA256=DBD3F942133E619D511201AB7D8E5D1AC5DEECC37926690F4DD1CD0BD38F0CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260807Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:00.627{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEAE6CAAB3C5120DB00A526D0F259FF9,SHA256=860ECC35260D488E99028EC384DAB2BBCC99C9B1EB0C2B5F6DAB0026AA0AD0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260806Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:00.596{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E182F73DFA1830A70B62B2781CD751E,SHA256=55DD0DC5C29AF3C4997A80E7C33D28388B1DCBEC58DCC8AA5A39587D4C63F44B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:00.570{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA35A56DF32A862093F2F16FB9A4DFA,SHA256=76CF5A3C9B96A5BF3C8F0DBD54351C3D0D20DCFFA6BFF5A9C0F1C7A10661B454,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:57.449{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59274-false10.0.1.12-8000- 10341000x8000000000000000298793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:00.124{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-92A3-6149-C32B-00000000FB01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:00.122{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:00.122{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:00.122{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:00.121{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:00.121{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-92A3-6149-C32B-00000000FB01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:00.121{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-92A3-6149-C32B-00000000FB01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000298786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:06:59.988{5097E253-92A3-6149-C32B-00000000FB01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:01.767{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483C-6148-0C00-00000000FB01}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:01.767{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:01.573{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB301D96E5D9518C959A80804C6713BB,SHA256=25E36DF9D1701042D16331087465D6861DB1AAD3799CC0B36DF579C2D5CEB61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260810Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:01.659{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7A1D848E0E3FDE74B25AF5C0342BF5,SHA256=4763185307A7FE1691CC042C702EE554C3C24C6ED519EB029534F965D7F1A69C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260809Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:59.561{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260808Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:06:58.753{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59456-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:02.582{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDDC568B27F29E7797A0A0A65890BF2,SHA256=37BA540745B6D07164657275A97226FC6808337C19AB325704C95829CC65BE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260813Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:02.690{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F854E99201AE90BF3CC8CB626A1686CA,SHA256=21E4C2BC9119D9CBF72887BD3EA9934D5B8FD857814359CDB5E12F567E762504,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260812Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:00.254{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-2104-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260811Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:02.127{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE85B1A33F99D2E5C73C323EA992E879,SHA256=F81B3A9E6AF8E18D6FE4D24FF0D4CC840DA5CFD5B22F1B3885505E41DB6523C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.809{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6804304EBB58055A3CE792D331C3DA12,SHA256=6A481B8E4C019E7C87B75F09D4385B7250C24694A42C01B6740D882305A86EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260817Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:03.744{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9820B5329F0BE6874E6E91A0B48BB62,SHA256=6BAA4590EE8C245DB1BCCE0627E1FB92A3E72B0E0296D1A2FDE213F86F9298AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.243{5097E253-929C-6149-BC2B-00000000FB01}57724400C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-92A7-6149-C42B-00000000FB01}2212C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000298809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.241{5097E253-929C-6149-BC2B-00000000FB01}57724400C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-92A7-6149-C42B-00000000FB01}2212C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000298808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.191{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-92A7-6149-C42B-00000000FB01}2212C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.191{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-92A7-6149-C42B-00000000FB01}2212C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.185{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-92A7-6149-C42B-00000000FB01}2212C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.185{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-92A7-6149-C42B-00000000FB01}2212C:\Windows\system32\DllHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.177{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-92A7-6149-C42B-00000000FB01}2212C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.173{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-92A7-6149-C42B-00000000FB01}2212C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.173{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-92A7-6149-C42B-00000000FB01}2212C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.047{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:03.047{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000260816Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:01.685{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3601-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260815Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:03.541{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71C1A87FDFD72425190D1D1D5DBAD47A,SHA256=CACACB1181224CACC8662F4F004B7D0E4F8B3AC16C905BC18F59DBB107F9D45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260814Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:03.221{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C8A48923C3707ED71FE88DAE12BA17EC,SHA256=BBF56AD9D0F6A1FAB6A048F0E3B094A207D76C18A05C5683A7FF9AAF60C74FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:04.813{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F0B7931DCF646653BA3360151F3FC1,SHA256=00CCFD8C664E57F8B7781A71A587C8CF9417C8F425E84F15DD7FA41C698D6EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260818Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:04.775{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C217D3A93F8BC4B13A306D1277C3F440,SHA256=F2E3D1EDD0DB0E54A91C880A4A9B5887027564E22241F550C5F68B38BA8C41EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:04.160{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB1857E1F41CB9D29944FA735365572E,SHA256=9682E67BA880D3FB72252635EA8858E8B9892074DD9A4212BD399F698DDFF5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:04.158{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98E477BECDF26E83FE5A1E98BD2DE822,SHA256=A4086B9606032E70AAC0E8048FC30DFD8C9A1A5077028FD7C6E3399A4F00AE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:05.820{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F369E0C3A62B614567A9B8B4518A12F,SHA256=898E2D7AAE4E4B5CFEB1792CA6D6AD12EB388DAD03FAAD8A12326A4BA463A653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260821Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:05.791{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992ACE6FA801B34690AE98B615C87502,SHA256=2702A26E31111311D98A10046FF6689D41EB4BD7FD75D982FA25617AB261B090,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:02.480{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59275-false10.0.1.12-8000- 354300x8000000000000000260820Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:03.165{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-5192-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260819Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:05.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A65A6AA003937E95FBBAEE57319B66D,SHA256=40FA7FFD60F8339B6A0E087474F088FD57CC2229AC00F0A462B07052C476F0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:06.826{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DD5E67342E0A4F098A0DBBC456C6A2,SHA256=ADF2E3855F2F5173FD58332389052522C4A07B799B86A82CAB083D41D785E5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260824Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:06.791{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1813AB4FE0BF247DCB30ED3B12578B5,SHA256=C6F850DCEFA9ADEFBA97E2FE9F2825C0D74277973A0A2C2DC3F46107A43BDE4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260823Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:04.832{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6750-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260822Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:06.603{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55A8D5FF9DC0DD6FDA2D736A7C4FDB10,SHA256=2F11BAF5880B8B8DC9E90BD7AB423C9B3302BBCBF2A7C63CAFC7531B0E5E19F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:07.831{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9FFD9CD16AD88EF82FD451EEB48251,SHA256=6418B247AF7EF5700A005D16DC96BE54B65A416DF53AB63E0D043D5A7836367D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260827Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:07.900{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80AC75DE5A431E337FF91A81B0265C06,SHA256=045045F643B9B2FCFBF0A65B9518CC2CD8B1F3415584474E134C0981EA00544F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260826Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:07.791{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5619DE551851658B397CEEE118E46B9F,SHA256=85070F982CE0EBA67D65D449B66C7A609C18A8C93B7596617BC4F3491592C591,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:07.098{5097E253-929C-6149-BC2B-00000000FB01}57724900C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cc7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A07F5)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\combase.dll+b75fd|C:\Windows\System32\combase.dll+b83a8|C:\Windows\System32\combase.dll+b5caf|C:\Windows\System32\combase.dll+b5ba5 10341000x8000000000000000298821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:07.086{5097E253-929C-6149-BC2B-00000000FB01}57724900C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b4d|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+17f43|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+3c365|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+41e53 10341000x8000000000000000298820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:07.086{5097E253-929C-6149-BC2B-00000000FB01}57724900C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ac9|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+17f43|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+3c365|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+41e53 10341000x8000000000000000298819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:07.086{5097E253-929C-6149-BC2B-00000000FB01}57724900C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81aad|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e 10341000x8000000000000000298818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:07.086{5097E253-929C-6149-BC2B-00000000FB01}57724900C:\Windows\ImmersiveControlPanel\SystemSettings.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81aad|C:\Windows\System32\SHELL32.dll+821f3|C:\Windows\System32\SHELL32.dll+82124|C:\Windows\System32\SHELL32.dll+819d2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf 354300x8000000000000000260825Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:05.533{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50895-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:08.837{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55744C4E37F7ED414EC17E396725F91C,SHA256=CA97BA310DF46A52E69041F40456057575337884CD551D4E87B14C3AE40B0977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260829Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:08.822{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6F3D1BA3236207AB5ECFB2BCAD3AFF,SHA256=3E4F66498DA157ECA622BC2CCCB2EE80795130EF6B8C1207342A8F34AD195DCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:08.449{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000260828Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:06.168{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-8249-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260831Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:09.838{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1745F9445CACD80D5A66E80F5E1E668,SHA256=D0586AE42E89F8F29C5B174F71F7460D79029F8A8CFC493AB19D710097294225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.830{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.830{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.820{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.818{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.818{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.818{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.818{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.818{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.818{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.818{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.794{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.794{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.792{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.792{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.788{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.788{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.786{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.786{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.762{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.762{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.760{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.760{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.758{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.758{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.756{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.756{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.750{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:09.750{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000260830Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:09.338{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5DD66A7AA9C5546C0CE64626BCF5111,SHA256=D57617F04E1F66BDE9E78FAB20DEAEE1984A2F4AB1CC7AE1EDD8CC3845BED5C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260834Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:10.916{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=602035E9B743731DFD22778AD414A8FE,SHA256=17B7AD5C4D9F589E18F996595AB714780F1DBD52476535037163890C5946FA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260833Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:10.885{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D42E8AA35314738DA13A846E95EEEC,SHA256=930F248D3AEDAD4E81E75C2A87AB0D998FCCD765C352B3AA5FDB7CB7306CE475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:10.349{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2023E00432D3ED769C30968C14D78EB9,SHA256=CD5B018E64713FA426A711CD0D21F6DCBA2C1DD0199DF05CE64AABBC243FB020,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:07.507{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59276-false10.0.1.12-8000- 354300x8000000000000000260832Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:07.523{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9674-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260836Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:11.931{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D605550C1AC91ED38D1FE37D98BA3FA2,SHA256=637FBAA67C2864273C16D8A23C60FDCCBF7F1894691C2890100A30F8981056C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:11.174{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57084FB16495BCB7ADB4D4E1C54FC05,SHA256=7923147EE95040B062AE866651FDF66B15107F71E7F325F09F3B8BC67707E2BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260835Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:08.891{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-11027-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260838Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:12.978{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1240B57B7AAA6CBA4EF364F13DC2A68C,SHA256=D513176FB6FFCBD0478887E2BEFBBE2B809AEA44B1BA9A2D551FF2E16351DF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:12.204{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DF0EB99FF06DB5CC53253CBECF3C62,SHA256=FF3CC3B2CC984D22FE189CF75DF8454B24587DEC2A8F1C9C8B35622098B91D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260837Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:12.400{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39032CD0B1B60518DA7505EF3B14BCF7,SHA256=328F29854AA1260991FB47BA14664AEA1639395AD8D93227AE2F357E6C05E204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:13.240{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984FB4FEB7DFE669D8C9759A47BE3746,SHA256=D17D6EFDB00E56E8B99B931212AA89911CF272B32E750A2D6CB9BE0D7BC92133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260841Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:13.791{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F025554A5B3B91C8DDF74C0389B8B0B3,SHA256=2C949E6B4601F253515F1BA6B8258CA3918E08FCB958FB271712B138EF4C7DCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260840Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:11.533{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50896-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260839Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:10.491{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12844-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:14.255{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A3097104E50C20D9F0FB6BED7530A6,SHA256=036F0B1CFADB9FA743CC61888084C35169493E622D484D703FA7B09C1014DBA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260843Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:11.960{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14272-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260842Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:14.041{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CA14693480746B3207BFFEFF323FF8,SHA256=85EA237381143E193F05D5402CD7581039A629CAC6F2148E4FC3C61DB3CF3892,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:12.553{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59277-false10.0.1.12-8000- 23542300x8000000000000000298860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:15.270{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97B2D51E15C0DE2126E15A25EF9FCC7,SHA256=40E80EE8E8B0B08CC2895408C39678AF84D9F40FEA968E31BBCF826D8DC521D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260845Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:15.525{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB225BE5708D2A3BE61638196F5AA743,SHA256=412AA5A3FDEE937B38E9122EB82C9A51B1A8AD8BF25D24C441CAED4B5266263A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260844Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:15.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F1056D95E5D85F19B005B10F98FE08,SHA256=925F3621E37DB8B77D25073D7DC9B681801842CA79ACB2487DA0AE646E5A09F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:16.284{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86549AA951812C0EFC6CAFEA7F24A29B,SHA256=ED856C098739CF256EC04388F860892102C521C16A7BD9C842BCC6D5CA7D3E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260848Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:16.978{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17BEFB0F5D1AD51A46FDE6BA7550AB14,SHA256=7BC5E224BAA4417C931DABD860A2F8DA0F8716141B2A0790D209B131DD5B745F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260847Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:16.150{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A678A66600B39D8145E112AFD1E513B5,SHA256=44DE14789D01EC0505AD5941C975256F5D4770792D4087D6E6C106001E8792E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260846Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:13.441{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15750-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000298863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:17.299{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B565F16E0988E378D78195C8575BC90E,SHA256=2D59EE58B131C9E98E314E29BF047CAFDF585F8D8326F7F321397A2D2B89B2F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260849Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:17.197{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603584E7D6F109474CD8A7078B65FF88,SHA256=BB15E19AB025ED84814943BE8637B2F109387EB62556E73A1609F68E82D17732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:18.300{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF5E8AD12C898DF7C784A649B9E76D5,SHA256=AA63DA9C68C452FF0B61AD066E3A8D36F244F0535E1D32C5203C2B6C03A72B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260852Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:18.619{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F279F0EC6D3B203CBCC89498AC1E3BD,SHA256=FB67B19AAB34A813E7B7CAF752E18196CE56B198D8F72A6A705800B3EFC9CC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260851Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:18.213{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E2256BBB7DB9EDB2500AC3D1D9FD1B,SHA256=490AB4F2FAE30D79C8F24951C873EF1764FD3A78FA17D5E3F263889B78AA841B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000298877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.232{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000298876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.232{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000298875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.232{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000298874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.232{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\LeaseTerminatesTimeDWORD (0x6149a0c6) 13241300x8000000000000000298873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.231{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\T2DWORD (0x61499f04) 13241300x8000000000000000298872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.231{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\T1DWORD (0x614999be) 13241300x8000000000000000298871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.231{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\LeaseObtainedTimeDWORD (0x614992b6) 13241300x8000000000000000298870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.231{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\LeaseDWORD (0x00000e10) 13241300x8000000000000000298869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.231{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\DhcpServer10.0.1.1 13241300x8000000000000000298868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.231{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000298867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.231{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\DhcpIPAddress10.0.1.14 13241300x8000000000000000298866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:18.231{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{766de22f-55bb-499d-b704-7532d6b79ffe}\DhcpInterfaceOptionsBinary Data 10341000x8000000000000000298865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:17.998{5097E253-483D-6148-1600-00000000FB01}12922000C:\Windows\system32\svchost.exe{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:17.998{5097E253-483D-6148-1600-00000000FB01}12922000C:\Windows\system32\svchost.exe{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000260850Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:15.114{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17367-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260855Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:19.213{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7FA7118BC2D688842D5EFD28BEDDC9,SHA256=97FD7525965D364AC1D80F42C58264AA6619BDA1E3CB7ED2FAE06BE1E565DFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.799{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3DDA2269AE24A11071C0C245F552297,SHA256=79794E35BECD071F9CF200920439706CD1514FDB404AD81949E3B27BC8BF8BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.799{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB1857E1F41CB9D29944FA735365572E,SHA256=9682E67BA880D3FB72252635EA8858E8B9892074DD9A4212BD399F698DDFF5F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:17.546{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-966.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000298879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.315{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC56355089A848CE5C1D1787D2E482C9,SHA256=31D837EB32D117086341344000E2CD492C46525D1924F1E0910FB029ACD592F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260854Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:16.692{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50897-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260853Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:16.605{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18847-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000260871Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92B8-6149-3F27-00000000FC01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260870Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260869Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260868Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260867Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260866Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260865Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260864Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260863Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260862Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260861Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-92B8-6149-3F27-00000000FC01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260860Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.853{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92B8-6149-3F27-00000000FC01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260859Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.854{C189DCE5-92B8-6149-3F27-00000000FC01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260858Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.213{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C96A4D439598AD0EA6D1681E83F066,SHA256=271A410D203ED19AED261AA2E468D664FE2C21ADD1791DDC7E1030FAA25959C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260857Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:18.217{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20451-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000298898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:18.415{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59278-false10.0.1.12-8000- 23542300x8000000000000000298897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:20.316{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AC42ABD6EE9B5D5AE80C07593E59B7,SHA256=AAD77F216EAC88A48399C55D4B6BEF936085DAB1790ABF60B3555C976BA64364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260856Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:20.119{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1968A5EF3CED438A1C3BC531DAFF2335,SHA256=17F27D7EF18E13313CD33075E8EA5F3C2B754D89853668432CBF6D1775B90768,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000298896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000298895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000298894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000298893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\FlagsDWORD (0x00000002) 13241300x8000000000000000298892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\TtlDWORD (0x000004b0) 13241300x8000000000000000298891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\SentPriUpdateToIpBinary Data 13241300x8000000000000000298890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\SentUpdateToIpBinary Data 13241300x8000000000000000298889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\DnsServersBinary Data 13241300x8000000000000000298888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\HostAddrsBinary Data 13241300x8000000000000000298887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\PrimaryDomainNameattackrange.local 13241300x8000000000000000298886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\AdapterDomainName(Empty) 13241300x8000000000000000298885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\Hostnamewin-dc-966 10341000x8000000000000000298884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:20.269{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000298883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:07:20.269{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{766DE22F-55BB-499D-B704-7532D6B79FFE}\RegisteredSinceBootDWORD (0x00000001) 23542300x8000000000000000260887Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.541{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09674AB47CB5D438149BE58C47830374,SHA256=208ADB4CE6DF8554CF2CA2F51C49029B208750A7E2B2049B8DF3012C66605560,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260886Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92B9-6149-4027-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260885Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260884Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260883Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260882Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260881Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260880Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260879Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260878Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260877Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260876Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-92B9-6149-4027-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260875Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.525{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92B9-6149-4027-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260874Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.526{C189DCE5-92B9-6149-4027-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260873Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71C23D8C027A758CBC3EA454E3DA06A,SHA256=FE7837498FFB4EE79DF080A1E481D9996A43F3F10E2C641B118A15A3A8FD12A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.597{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local63792- 354300x8000000000000000298914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.597{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local51944-false10.0.1.14win-dc-966.attackrange.local53domain 354300x8000000000000000298913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.597{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local51944- 354300x8000000000000000298912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.597{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:58e1:83f8:86a1:ffff-51944-truea00:10e:0:0:0:0:0:0win-dc-966.attackrange.local53domain 354300x8000000000000000298911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.596{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52827- 354300x8000000000000000298910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.596{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58868-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domain 354300x8000000000000000298909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.596{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64593- 23542300x8000000000000000298908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:21.336{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41ABDFCF8EC8A602C33814E22C2AFC9D,SHA256=C3185D53F78BD37C28F427F142CDCC74DE1BF0FB07C8A4DA304733BA43C6A613,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260872Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.010{C189DCE5-92B8-6149-3F27-00000000FC01}9242440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:21.283{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3DDA2269AE24A11071C0C245F552297,SHA256=79794E35BECD071F9CF200920439706CD1514FDB404AD81949E3B27BC8BF8BAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.591{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64130-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000298905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.591{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64130-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000298904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.590{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local58868- 354300x8000000000000000298903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.589{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-966.attackrange.local64129-false10.0.1.14win-dc-966.attackrange.local53domain 354300x8000000000000000298902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.589{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-966.attackrange.local64129-false10.0.1.14win-dc-966.attackrange.local53domain 354300x8000000000000000298901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.587{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local51552- 354300x8000000000000000298900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.587{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-966.attackrange.local51552-false10.0.1.14win-dc-966.attackrange.local53domain 354300x8000000000000000298899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:19.587{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52151- 10341000x8000000000000000260916Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.869{C189DCE5-92BA-6149-4227-00000000FC01}23723584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000260915Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.713{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5978529B8295114BDDFBE11F1D86DD2,SHA256=4D921C161F147BB7EC1D7B7C7B9793C13F9592C23D7892AEB1CF4B2E777134C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260914Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92BA-6149-4227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260913Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260912Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260911Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260910Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260909Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260908Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260907Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260906Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260905Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260904Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-92BA-6149-4227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260903Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.697{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92BA-6149-4227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260902Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.698{C189DCE5-92BA-6149-4227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:22.367{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68B4E382B0443EE8F6EC276C8619FC4,SHA256=F42071FC46B86C3689F1FEF74AD11453BD260F6B2CD928A1B5F2E184F9E44F85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260901Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92BA-6149-4127-00000000FC01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260900Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260899Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260898Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260897Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260896Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260895Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260894Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260893Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260892Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260891Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-92BA-6149-4127-00000000FC01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260890Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.025{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92BA-6149-4127-00000000FC01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260889Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.026{C189DCE5-92BA-6149-4127-00000000FC01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000260888Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:19.699{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22078-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000298924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:22.235{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-92BA-6149-C52B-00000000FB01}3328C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:22.235{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-92BA-6149-C52B-00000000FB01}3328C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:22.214{5097E253-483D-6148-1600-00000000FB01}12926552C:\Windows\system32\svchost.exe{5097E253-92BA-6149-C52B-00000000FB01}3328C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:22.198{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-92BA-6149-C52B-00000000FB01}3328C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:22.182{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-92BA-6149-C52B-00000000FB01}3328C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:22.182{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-92BA-6149-C52B-00000000FB01}3328C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:22.182{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:22.182{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:22.182{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000260918Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:23.701{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79583FA504F6B157C61DE170229046C9,SHA256=728DD438739001024FBD31E7CEA744A5E76A77854ECE41C3488258C8790B0837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:23.413{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E438D380F4AFB8704E6F826631519B64,SHA256=D71CAA54C7C4ABE9DB02D700A54DB2E2E6BCB04069CB9CAC2D1626C7D3F9C8CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260917Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:23.041{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C0928F0E0F6802A125FAA7A81FD639,SHA256=97131AA25D7236944F4D098BBE8B701804322F4CEBB400D998B7184C336E8564,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260935Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.779{C189DCE5-92BC-6149-4327-00000000FC01}24163492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000260934Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.763{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6055B384B11A26FA69A3D4C10CC2E2,SHA256=CA7DB4F92FAFF2333B629BA5FFA90911129F1545FE15C1491AA7FD7192DC7A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:24.429{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA7C49BFC1B85D54197D75F522FFA67,SHA256=61AD240DA0F15A30A1FD507F90E41C8855E596B1B7ABE7D9136E15C46671D0FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260933Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92BC-6149-4327-00000000FC01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260932Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260931Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260930Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260929Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260928Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260927Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260926Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260925Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260924Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260923Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-92BC-6149-4327-00000000FC01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260922Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.560{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92BC-6149-4327-00000000FC01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260921Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.561{C189DCE5-92BC-6149-4327-00000000FC01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000260920Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.466{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F9C06A3098B1059D2AE47B3514DF74A,SHA256=26BBDAF8FFCF835ABDE87802F4C16116F7D1DEEFC668100D907715FD9140B9E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260919Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:21.202{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23509-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260953Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.763{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D62D9DA8D2A4EE5A415528CF9C53CB6,SHA256=045489FA36F2BD2A931FC07E81440F9B5744DCBCBD391DB2DA08CD93339E21EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:25.448{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8008CB29FF6D5332165C99E7B406E5EB,SHA256=A886B86E8F70471A8094F1C40911B79D8892C2F4A323A93902CA20B178119177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260952Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.576{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63A98D578CCCDEB489508AFBD3E78BED,SHA256=536BA3026247E16FADFED4B341032E8868B1B5EBA6FCC26A6D0A7A47FC436F4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260951Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.419{C189DCE5-92BD-6149-4427-00000000FC01}30643544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260950Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92BD-6149-4427-00000000FC01}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260949Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260948Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260947Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260946Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260945Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260944Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260943Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260942Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260941Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260940Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-92BD-6149-4427-00000000FC01}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260939Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.232{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92BD-6149-4427-00000000FC01}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260938Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.233{C189DCE5-92BD-6149-4427-00000000FC01}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000260937Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.707{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50898-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260936Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:22.686{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25139-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260968Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.794{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D184A898F05E0565EC90A0C564779BA,SHA256=13E4635358BAEDAF3C758B8AC195A44FC9941BD1C76CDBA1BE4B4D2179951295,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.826{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.809{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.809{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.778{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.778{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.778{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.778{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.778{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.778{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.778{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.778{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.709{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c 10341000x8000000000000000298943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.693{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.693{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.693{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.678{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 10341000x8000000000000000298939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.678{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x8000000000000000298938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.546{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.546{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.546{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.546{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.531{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.531{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.462{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABA02F83E38E2096951B1BB0BC282A6,SHA256=E3F376673B15AC82EC3992F3D8E2737A79C5A49A9DA9C0D3032BD5F8021668B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000260967Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92BE-6149-4527-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260966Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260965Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260964Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260963Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260962Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260961Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260960Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260959Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260958Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260957Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-92BE-6149-4527-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000260956Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.560{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92BE-6149-4527-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000260955Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:26.561{C189DCE5-92BE-6149-4527-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000260954Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:24.126{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26545-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000298931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:24.442{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64131-false10.0.1.12-8000- 354300x8000000000000000298930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:24.178{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-49331-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000298929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.127{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260970Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:27.841{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC1348AE2F35F67C5CA3293A306509B,SHA256=1DCDDE3A75EA665E5D33D25B5FD4BFC58340D1C49DC89967783E4F50DD657D2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.054{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61780- 354300x8000000000000000298965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.044{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63316- 354300x8000000000000000298964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.041{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50155- 22542200x8000000000000000298963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:25.658{5097E253-9226-6149-A12B-00000000FB01}4420prod.balrog.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:25.656{5097E253-9226-6149-A12B-00000000FB01}4420prod.balrog.prod.cloudops.mozgcp.net035.244.181.201;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000298961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:27.708{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000298960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:27.477{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC8A0F84D092BDDC92B050A276F70BF,SHA256=867A4286D55CFE9010391D5DA991F38704A14B629D9D1FDBB9482FD2F5F46D95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:24.993{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local64133-false93.184.220.29-80http 354300x8000000000000000298958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:24.983{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local64132-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 23542300x8000000000000000260969Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:27.388{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=482DD5FC59B2F21A5CC59247DFF100F8,SHA256=2156EA61CA19B16005BB5B6526DD9D2226DE1674E60CDEBDDD1B84BEF0A5E904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:27.161{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B909F16FF0D27BCCD82558F6CA67E26,SHA256=B6B3F8CC5C83D8D320A0F8E60A18A0146F544548E89686D23497F4CA01541731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:27.161{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93D30758A73DA3D173F72DB6892E79F1,SHA256=558975FFC7E84DAE29714560C62B3E9247B1D6EFE0E3C31B19EB8FD9A15DFDAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260971Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:28.888{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95A37FDDB96BA0CB14D13C3FD6F7EBE,SHA256=05A846788346B50DD8E6CBE1F78EA175B2BE9C93325FEB431D4FDD75A684E012,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000298990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.731{5097E253-9226-6149-A12B-00000000FB01}4420pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com052.37.158.247;44.239.125.99;35.163.9.121;52.13.236.190;34.216.113.46;52.42.129.205;52.43.83.211;35.155.229.139;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000298989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.634{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=67D655AF6F38926B7A946B7B6A592F27,SHA256=71CABA969A4E745EF3688D5440DA3DA3B490E7C7306A85CE113C2DE20A6302B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.544{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000298987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.544{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000298986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.544{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000298985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.544{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000298984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.528{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.528{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.528{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.528{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000298980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.325{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53504- 354300x8000000000000000298979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.200{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local64134-false35.155.229.139-443https 354300x8000000000000000298978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:26.196{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local64135-false35.155.229.139-443https 23542300x8000000000000000298977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.507{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64BDA629BDA0B2AE94BC9D2C27FA88C,SHA256=C8FD3234DDFAAFC0D62CDB43FDAE0A49639456EB900715BA0CD5F458E91CA08E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.494{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x8000000000000000298975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.494{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000298974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.494{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+27c138b|C:\Program Files\Mozilla Firefox\xul.dll+27b4476|C:\Program Files\Mozilla Firefox\xul.dll+bfe10a|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32 10341000x8000000000000000298973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.494{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x8000000000000000298972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.444{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.444{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.444{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.444{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.444{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.444{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c 23542300x8000000000000000260974Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:29.935{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFB23F3E3EAB15A34EFAFF693779624,SHA256=9CB98A48DFF346BFF4F919C61118EB2D40C8642D9E7149C6737A8071672BD0C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.080{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49791- 354300x8000000000000000298996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:27.837{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64937- 354300x8000000000000000298995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:27.791{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64937- 22542200x8000000000000000298994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:27.011{5097E253-9226-6149-A12B-00000000FB01}4420onedscolprdcus04.centralus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:27.001{5097E253-9226-6149-A12B-00000000FB01}4420onedscolprdcus04.centralus.cloudapp.azure.com052.182.143.208;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000298992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:29.682{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B909F16FF0D27BCCD82558F6CA67E26,SHA256=B6B3F8CC5C83D8D320A0F8E60A18A0146F544548E89686D23497F4CA01541731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:29.582{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDA0F8BFD1C2EC8D146F5761CAFFBCE,SHA256=F2DFB82EE51DAF90A59D8C5542A7500B900D9EC93828593E728E4E393D7A8E8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260973Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:25.598{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28088-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260972Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:29.060{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BE8F8FBCAEFDC0F412A1DEAAD9798BF,SHA256=B06E128F0FA29C8896C5E55DA8775F2C11E541F210F3999874692E96199FF374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260977Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:30.966{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867EEDD33F126A22215F8B7A7176FF22,SHA256=7D51E6019D71F31DA9B47078D524BD2F08CAF3B6AE27E2C3D329EEC684F5896D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.085{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58894- 354300x8000000000000000299005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.084{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53107- 354300x8000000000000000299004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.083{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51283- 354300x8000000000000000299003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.083{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50099- 354300x8000000000000000299002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.081{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64027- 22542200x8000000000000000299001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.762{5097E253-9226-6149-A12B-00000000FB01}4420djvbdz1obemzo.cloudfront.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000299000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.759{5097E253-9226-6149-A12B-00000000FB01}4420djvbdz1obemzo.cloudfront.net013.226.152.19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000298999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:28.758{5097E253-9226-6149-A12B-00000000FB01}4420www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 djvbdz1obemzo.cloudfront.net;::ffff:13.226.152.19;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000298998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:30.583{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB09D80C5811E2D077239FB17BBF62B,SHA256=EEC4410B0089FEF9AE826589C5A2913C741888DFF1C5C174658704BA2067F595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260976Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:30.404{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D2D85A379708CBE93DA78E64AD4A0E7,SHA256=D5C880FD96ACE9100BCE563638D196BCE5BA84BE541F924FAE5EE756A571D849,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260975Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:27.031{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29590-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000299008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:29.450{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64136-false10.0.1.12-8000- 23542300x8000000000000000299007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:31.589{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085EAA5E08316A2B7B66E14B7DEA71B7,SHA256=F1A0C6686783B17460BF0D9C53AD6FA5DC1D1E3CC2334EC69EF605A1A5B86979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260980Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:31.747{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B3E35D85667A091518F3AF2864A2B66,SHA256=3708E6130E71217A83B0ED8BE7510B2E49D97F1E5E2733822CAD9C92429694CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260979Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:28.693{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50899-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000260978Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:28.631{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31082-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000299009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:32.589{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230B40CEB6932E674656B696DBEB2132,SHA256=36D282D354F7140038C2E5B340A9E83F47EDA55D73735DD6825121F337C9034B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260982Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:29.954{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32584-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260981Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:32.029{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3421268CA7319EA7165F4FBDF43D3785,SHA256=E546562C109C6DDE3F737C71B1D82E23AA0D615E8231683AA76C688EBA01F2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:33.603{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464B5803CF285ED8EAF82F08ACFC2998,SHA256=5707313190B5C8B8ED2C2601AD114D71064546023DA3D8077448CB7FA4A13251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260984Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:33.263{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D818421798ABEEDF4AD7965D31E6B22F,SHA256=BD332D206B1DDF6C0E830F3B44F36F6449F4783A5C3E863BB79383EDA6AA1DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260983Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:33.029{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB8832EA7DDE4BE8954BDB99045D65A,SHA256=8C79A3099EFA489E28B76A95606E2016CCA863BC84A5EC62FA7280086E9AA2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:34.608{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0724284E6C31247289DEE8B8AE7958AA,SHA256=070AA39758C960B8A05E43B653CB7F446AB414D5D819C912385D2ABC8345EC43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260987Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:34.607{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1698721B5BC176661CDE34499E6CC5C0,SHA256=479F5D5DDA1C1D0E2AB5E7C31C5575F84884B5DFF3A039C04063ADF9BC87AAB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260986Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:31.302{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33870-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260985Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:34.060{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744180DF688404D83D71144F19AA96C0,SHA256=C6DB8BAF3D32E375F85BAB3BBA4366808808BD157EC9A6CA690377E1CEA95920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:35.610{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B40B60BE52F06CC377FA0657455503A,SHA256=52A6AB1994742F44F1CFAF0A5B9BE06E811B7B2B3144C428D5514C814DAD25C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260991Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:32.813{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35140-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260990Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:35.279{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D996989C186A8D65BDC920092C82039B,SHA256=F7607F00788D123E9A9AE97EB92F7F2B2C85B10134A97F7A087D3A673622DE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260989Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:35.279{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4739C65A0FBD0F0252CD584C5002E180,SHA256=E9CCECC4B3351CE79B9A8E6FA75B58D68C58C4DBA2C6510D735E13D65698A82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260988Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:35.091{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9AA3968064C7E1BA6D7B975EF80521,SHA256=30E7B27F393A98D6EBEDA1F3A21F6142E008994D561374E18D9749079BCBF098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:36.612{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0102DB168ACED4CC14DC41C4B29092C9,SHA256=1A4A1DC6448AAA0B6B490097668308BE79CF85CBD1E6392840403EE36EAB3147,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260995Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:34.313{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36848-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000260994Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:36.435{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD01421D26FB9CC6D213A144DE67B75E,SHA256=691AA86D064189CFB226DDCCB67678C3648B1F4C203435DC7A55533EADB605AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260993Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:36.326{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260992Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:36.107{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013907298121AC78239DB17D66D3F3FE,SHA256=7E8B06EBCE466F6D4E4BC2D37E28B7BC62ABC4B88D7429FEE32124847A7C0C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:36.448{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:37.625{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4303E14DC57A43E571D5D9CB997D4E33,SHA256=8C019E37B35110CBF4A0A953A76C0452D53FB48C20912477953E3F0F09A69D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000260998Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:37.779{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B26C64F980F7243D279BD9C9F188844,SHA256=0CFAB77B699BB2BA8D0E4603B92E7DE94A7DB4AA1FA0B2DAF82DA4AEDFCAA0AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000260997Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:34.708{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50900-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000260996Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:37.122{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5AA61CB3BE157B49B74E4915655301,SHA256=178846591B5E14C2F694D15E8BCF7E85681C657E7315A50D4198A389687F43D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:34.451{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64137-false10.0.1.12-8000- 354300x8000000000000000261000Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:35.802{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50901-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000260999Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:38.154{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C905BD9868748E8D5DBC69B28AF701,SHA256=C3EB9165519DD28064103DF5FF3134353ED01314E359B895DA2A7AF431B0E344,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.969{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.967{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.967{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.631{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63928DEE389E0C00F3C1BABD2B0F90C,SHA256=B8B6EE5697D6A4B6088A5D2999421FE5BA3945CD9BD414279EE2A2D9C76DCC66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.278{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.245{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.245{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.245{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.239{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.166{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e4901f|C:\Program Files\Mozilla Firefox\xul.dll+e3814d|C:\Program Files\Mozilla Firefox\xul.dll+403a1c3|C:\Program Files\Mozilla Firefox\xul.dll+229b601|C:\Program Files\Mozilla Firefox\xul.dll+9df490|C:\Program Files\Mozilla Firefox\xul.dll+9a4d81|C:\Program Files\Mozilla Firefox\xul.dll+19dccd|C:\Program Files\Mozilla Firefox\xul.dll+9e2597|C:\Program Files\Mozilla Firefox\xul.dll+9ad29d|C:\Program Files\Mozilla Firefox\xul.dll+9aff51|C:\Program Files\Mozilla Firefox\xul.dll+9aed7e|C:\Program Files\Mozilla Firefox\xul.dll+9ae0de|C:\Program Files\Mozilla Firefox\xul.dll+9b7f1b|C:\Program Files\Mozilla Firefox\xul.dll+900933|C:\Program Files\Mozilla Firefox\xul.dll+89f837|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f 23542300x8000000000000000299017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.093{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\formhistory.sqlite-journalMD5=5D990FE2A63D2FFEC5920BC673D8CCEA,SHA256=2067AB9EB986EACE08DF15633BFBF3279230471C0BBB1AB0C6885F8AAF650387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.864{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8718C91E2A6FC22F13377A859F4F8AE0,SHA256=91F97AF79E48B9331BE7932A7AED9D93EF70E45660F04630F5AEB4C6BFD67602,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261003Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:36.005{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38372-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261002Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:39.279{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2292126A58AFE3261FA3D4DB1739A099,SHA256=54DF8E77E525AAFDDD1B0165F5C7A8763A31375B7936D30A70DB6E4696CC99A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261001Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:39.154{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C1B3F00776B8175E124E4B439DC8F8,SHA256=614D4AA02EBCFCBBEA58C056C5C7E18AA43A513AC14C696B6BB18D79166CB754,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:35.747{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64138-false10.0.1.12-8089- 10341000x8000000000000000299080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.315{5097E253-9226-6149-A12B-00000000FB01}44203160C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.303{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.303{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.294{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.294{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.285{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000299074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:07:39.285{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000299073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:07:39.285{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-4C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000299072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.273{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.273{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000299070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:07:39.273{5097E253-9227-6149-A42B-00000000FB01}4180\chrome.4420.10.79584650C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000299069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.273{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000299068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:07:39.273{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.10.79584650C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000299067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:07:39.270{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.9.40641231C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000299066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.270{5097E253-9226-6149-A12B-00000000FB01}44205300C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000299065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:07:39.270{5097E253-9226-6149-A12B-00000000FB01}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000299064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.252{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38AAAD33651B15F5AEB394D39DEC3D2,SHA256=1C2A232557B4A5EEB4F1AA258CEC49C38DB1DABBB55888209F098FEC16B3D1B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.191{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.191{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x8000000000000000299061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.191{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.191{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.191{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.191{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.191{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.191{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.191{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.191{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.188{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.188{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.188{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.188{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.188{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.188{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000299047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.188{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000299046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.188{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.188{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.188{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.182{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.182{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.182{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.182{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.182{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.182{5097E253-9226-6149-A12B-00000000FB01}44204848C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.183{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.9.406412314\1884379270" -childID 5 -isForBrowser -prefsHandle 3552 -prefMapHandle 3992 -prefsLen 9753 -prefMapSize 244831 -jsInit 1120 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 1712 1e78f525538 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000299036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:07:39.171{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.9.40641231C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000299035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.097{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72A259208910327F73537D3D10828509,SHA256=33C98BAF79487FA1695C86FF6B1572CC9FEEB17744A1ECD78F1B2BD433725C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.094{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14BC735B73B38F6E9CD4CD638B3ABC80,SHA256=850A48E06C39A9853C1EE160A27D61B229AA39BC9B910BFB68A0EE1A10FED3FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.091{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000299032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.064{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.058{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.058{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000299029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.058{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000299028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.000{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:40.881{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1374MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:40.872{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B6ABD01206463D1504212B027DF081,SHA256=DEA8B8FE0FACDCB3BB76DD03FBA9A8486385E865CC871254BA5B385074D99C1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.726{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local58875-false142.250.184.226fra24s12-in-f2.1e100.net443https 354300x8000000000000000299086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.724{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52127- 354300x8000000000000000299085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.724{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62923- 354300x8000000000000000299084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:38.693{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local58874-false172.217.23.110mil04s23-in-f14.1e100.net443https 23542300x8000000000000000299083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:40.275{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72A259208910327F73537D3D10828509,SHA256=33C98BAF79487FA1695C86FF6B1572CC9FEEB17744A1ECD78F1B2BD433725C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261006Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:40.919{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CD768C607CCABA263B6846A55002208,SHA256=11E7B4274345F13C23B8174EE4199A248024C59BE6F2C3E4DC7233C64CA786F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261005Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:37.333{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39932-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261004Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:40.169{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4098196EE5763CA8FCEF175C7A1C68E,SHA256=C2075E60D3F1655580833D45EC0F28CD11054A90DA3398DF1054AA9F5535FF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:41.880{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F188BECE060DEF5342554D856A17A808,SHA256=A1D7E387B8CDA255BDC2886F71505B63AF16EDBC5B10C6D9232CA9C1A6921EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:41.879{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1375MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261008Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:39.031{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41441-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261007Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:41.185{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9724CC5437061C43B7CAF62CADA0D34,SHA256=89F48DFD6106464CD962ABCF421DD4EAFFFAC1DDEC74BC41E261AC86CF50E6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:42.895{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A919C65D0FD2DA5132C5CBEC7F4DA858,SHA256=C79D6EA7C23849B1BB19D4F309BB8CB2C15002222057180B2E07B1D4273FB1F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:42.892{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000261012Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:42.544{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70F27020373F27ED8CD4D93F90415D34,SHA256=D264E02A3F81590B9FF7A9B93D4F3FF1C0E6BCDE2EAC8E4399D48C95205FDC3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261011Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:40.657{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42961-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261010Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:40.646{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50902-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261009Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:42.247{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841066C63CC437D8F07995907C724C60,SHA256=D6F5CEB14AA630E434212CC0D1DCF9CAEC232EDEE077E1D09AB1C43A547448AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:42.890{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:42.888{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:42.875{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\permissions.sqlite-journalMD5=7AE1F03F90DD563E3650108A585C3EF7,SHA256=EDF97E3AA080B1DE6ED8B325CA241851B6DF387753DDF6E58EDAA9CC7282ECE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:42.458{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-4839-6148-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000299103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:43.899{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2C5FC8CCAF59AC0A7A1D5CF2CF5F64,SHA256=04D0A8F018B4890C3C0EE0857AAA16891204D22FB21E78806C4D85CD39E4A6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261014Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:43.921{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D5F5F320E032E7188B74286A93FB71C,SHA256=1A1800C1A00714A143E200800F7E3E9CA0FB57325E0438E0796EB69AD6C6D975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261013Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:43.249{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D304904CBC5E3FF6BF5B996B14F31469,SHA256=744F8240B5D9C4AABAA201F52D0B60E625299013388A6638E7DF11DC0BDC6A6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:41.772{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64140-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000299101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:41.772{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64140-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 23542300x8000000000000000299100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:43.469{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CE2698F060125CFAD3F5117DB53158E,SHA256=A39C4F60BDED422A450837303906EC4AF29195AF105F6B90B0DC0530E2BF59EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:39.537{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64139-false10.0.1.12-8000- 23542300x8000000000000000299098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:43.084{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\doomed\6048MD5=2619E7580314C04EFA1C620FCCF0FF01,SHA256=D23120A23D104B0AF5435D1EE9B4F231162A52A5399F4DFB637DA88AC017918B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261015Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:44.280{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57920390661706EC12EAEE6A2E8A9CF1,SHA256=6FEE21F8181EEAE8EF707D3852B8A03E051BD51B41BCC7B7AF150C54BBA02613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:44.316{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\webappsstore.sqlite-walMD5=D4719F81E05807E847ADCBF5618CE3FA,SHA256=EEA2A5850C9224039BE6B85D88AB930F499D8D084206507E63791EF3B5615F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:44.314{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\webappsstore.sqlite-shmMD5=EFFB8353538AF2B4243223C157D82745,SHA256=155CCAD848ECCE184708346C543609E3D53804277EB0634276ABEC5415C53185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:44.311{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=334B3BC9BAF0824571F031F50BBB6828,SHA256=35EC8DDAD005041D033136FC42692D3FEAC1F81AFB0B36B60D1B82D1323E14C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:44.296{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\default\https+++www.google.com\ls\usageMD5=D7F234E6A4913961935DAA2DE8F79265,SHA256=1665D8472FE68F76666F520A82349EDB2E6B8A22CFB97A39FAFA81746A68683F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261018Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:42.143{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44549-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261017Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:45.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619F6A1EE1B58A8FE6E70F24EFCA217F,SHA256=2047BDC796CD958C1B0E03A833BBC468FEF1D13A5EA83ABB526D2046175CE545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:45.504{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000299112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:45.503{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000299111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:45.413{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:45.413{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:45.133{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=263FE758D3E139480382B34CEB919D25,SHA256=1EE33BF401E9D3BE68A0B604DF67F52F93264A096C33DE54B4EBDB9CB080A5B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:45.132{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5A5DF35E24C03CB1621592AF7599AD,SHA256=8ED90C10A727403FB42DC4DB31D9980D62F1041D16DC67604840E3972E828B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261016Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:45.343{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67070EBA8FFAD6B5DBAEC3DA10147305,SHA256=5129F9024DA4710DF8C4F4E70EBA03D9F2165B48C1D97F93CA20186BFC58C2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261021Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:46.983{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE6311C8956D54AB4D49D2EE822B2EE1,SHA256=2F2BC79D550FB913B4A745868C721BA16AE0F33C0D5E05FCFC268EF8DE98C140,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261020Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:43.538{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45965-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261019Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:46.436{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90274FDD887F526A87B02F7425B32002,SHA256=CBC2BB89A2D2C33213F8E25A2D677C6F28DC2E1A7244594086B31855CEA76F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:46.157{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116389C2378372B9F7F0F1792075AE68,SHA256=9F67B86FD1406D73AF8B6B8978B6AC53609AC2FB67930331F5B1C3A6D93526C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261024Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:45.891{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com14654-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261023Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:44.954{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47617-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261022Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:47.483{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598FAFAB8C6794A9C7014A4C2D252150,SHA256=0DA3E63CCEB6775BED9E1945FDBFA7F22AA4F6BF3AF65164A5E48BC947576369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:47.163{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0793ED13D9538E45980EE409B807EA,SHA256=AFB8B128201100CBEBDE48B2F9207A68FCDD75F7279EA50ACB1B367E88C0CD19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261029Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:46.647{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261028Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:46.594{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49098-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261027Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:48.555{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9B8011771CC7F75D92D9E91B3DB2F00,SHA256=E78D82C2975204C1D9DAC6B2140F9823B6B7908126AFF6227CCCBAD141117589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261026Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:48.508{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8953E5C902DB441E304166D21450B1D5,SHA256=F219D0A919D32D4849E1DA51642C3C432548F38080C958F8F0A43D135D591342,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:45.456{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64141-false10.0.1.12-8000- 23542300x8000000000000000299116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:48.168{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBF9BD6FFB17092B4595147C402D8F0,SHA256=F57B7D607F42158A1E245C31FF700F81A160EDF2469D0574B620A9A4FB3B28F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261025Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:48.049{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1366MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261031Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:49.538{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17D2926BF4EC91344BD45BEE6FC27D3,SHA256=191BBDF0B12E7FEAA55DAAFD5562FDA1EDA3027CED7BD4FDCE6443E2EC30A350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.726{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE0B5F5418F1CC4F5E3B05884BDB60F6,SHA256=D89C93CDE5B97995155E02E7BB1DAACADE9404D91688270105161DDA68727F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.437{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=DAF0D5C0AA2ACBFC7A5CCF022453B4D7,SHA256=76BF0EF8E305BFF4073FDD99073DCA1E1A20A656BD670691D8DAE888B642C53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.435{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=8BB1EC2DAD4A2187EC6B7686D8EEF709,SHA256=8D144421AE8B41A9D5C5E9E44B8A6F8C415F2AA4717B0151A7154A31AE38EBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.434{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=5F3CC01C9CB64764AFF4F96C0BA8FD8D,SHA256=7120A6AB35B655BF7A28FCFB91BF389217C3063D4BB9223A031EF1525A14FD0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.433{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=4492972DB7C5F2E72D645B7A664836F5,SHA256=79C1DDEF9D91B9255EA2F8D332E99AF116DC495837D13AAF4D6954FCC800EF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.431{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=0662BE3A0C8D77E6F2FF6D220B17949F,SHA256=A41B1048A8BDB50E63DF73C45C8B52BBF164E60BFD9DDFF41E7F75111E84683D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.430{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=3489B0A06B2CBC132ACBFF2B1D2BF847,SHA256=DAAED857C86B29D8940F581AB08075343EDF5A423A3B250D90481D48A0404C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.384{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\webappsstore.sqlite-walMD5=0AA262479E607096824EB4747E6FE84E,SHA256=A1F564694E7EB48194FE1AD6856ABA097E5B6F6637ACF65CD59727AED6D681EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.383{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\webappsstore.sqlite-shmMD5=A420D42A9F8BA42A876B6FC3107F48EA,SHA256=DDE55B17BC4F2974AD380C665B7BBDCE7DB2C0D2E3E2247FC4EDF3D4E481B379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.379{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=7348D8D80A699DD2D317A303030615B2,SHA256=2537C6A2000788CBAC59BA4130279B11BDE1270841445B7B234D678F8BE2666B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.366{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\default\https+++www.google.com\ls\usageMD5=7864381B7ADA50E2D8FA4059957D6E68,SHA256=1565A848C0164A9C2FB29E5A9ED08C03B99A10A470109AEC9F41FEBD512CBA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:49.172{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B839D62100AE2B50E1A02AC98A11E6,SHA256=7E6DABC02FB77FCC518325E3AECFD24C2A977537836880B460938373F1916BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261030Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:49.056{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1367MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261034Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:48.247{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50815-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261033Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:50.540{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542696D2B4880C49BA0BCF771D2F6F4F,SHA256=46C180B9AB4AADDD05452529A737325DEC012E42731E2E145B9F9ED16A5AA0B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:50.366{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4078D5903FAE59C0131595FFC778E1B8,SHA256=929F4571B8A860CB408712F2BA4C62983362A80BBBDB1B8079C7BE919C6AE41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:50.182{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F83A9B1FE786D5E5362A8CE9A9878C,SHA256=3BC3D6816DCE1F00848B259C4AAC04FB8CF56C624915F7CC73F71FE059AAC3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261032Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:50.196{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93F459E4054CC8C9D65882351A34DAE2,SHA256=1C54B248CE608FF789931D3845D18C90188BF9F993D345C059890F07510FD8EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261036Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:51.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2DEDD459F7083231F9530E10608F011,SHA256=4549121D1401421DA8018233D711141EC14A0DE88D61E15DA3916D4D552996FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261035Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:51.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900D4DA9CC3229479B7AB17A6397C1D8,SHA256=854B0B4AEABDDD46FB60E1DE9195C865990B15A42D99C8F69B5EF20EDB56AD57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:51.542{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:51.542{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:51.542{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:51.187{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865274E2CFC52C91D1028A39BF02309D,SHA256=1FC81F76AF28E52258C6D3100A0D18946C2CF7FED83CE1FFD6EC9B0C75584715,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261040Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:51.124{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53902-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261039Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:49.765{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52373-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261038Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:52.899{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B7B6B7ADAD50EEDD5708C81103660B9,SHA256=CBF161E13E0F0D414AAC8B0C241098B1DAD35627BA999FFE77C3B8DF51FFD3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261037Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:52.571{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF704418BFAC7C15338B3263EBE078A,SHA256=3E94539022730A3773731CDFA4D1DD838713A5ED2FCC229C7BDCE1C0878CAF4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:52.612{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-92D8-6149-C72B-00000000FB01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:52.610{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:52.610{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:52.610{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:52.610{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:52.609{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-92D8-6149-C72B-00000000FB01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:52.609{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-92D8-6149-C72B-00000000FB01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:52.599{5097E253-92D8-6149-C72B-00000000FB01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:52.195{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724F0CC9BB2C2BEBF78AE0F01BE6C5B5,SHA256=D36F30A17A612D8CD69CF162D490706FE890BB9220100E40967F7EE166D0EBCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261041Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:53.587{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83CFE72BD57000CAC7400B21C8A3421B,SHA256=834B2693EFBEACAB34B00C146F135180AE0D454E0088CF31935F3AAE3C55B1C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:51.452{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64142-false10.0.1.12-8000- 10341000x8000000000000000299153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:53.291{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-92D9-6149-C82B-00000000FB01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:53.290{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:53.290{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:53.289{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:53.289{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:53.289{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-92D9-6149-C82B-00000000FB01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:53.288{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-92D9-6149-C82B-00000000FB01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:53.283{5097E253-92D9-6149-C82B-00000000FB01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:53.200{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977C8E08FD0BCCC015DF0F47F358CF6A,SHA256=FB06ADED9412C34462C76C2E2957899338351E0D5A886D98288E917C8D570D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261043Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:54.618{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E192C63264FE2015D42A85C0EB46040F,SHA256=8217F6726852569797EAB677B69C22B14B655456FE1C961E29047129568CA0F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.913{5097E253-92DA-6149-CA2B-00000000FB01}42404164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.746{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-92DA-6149-CA2B-00000000FB01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.744{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.744{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.744{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.743{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.743{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-92DA-6149-CA2B-00000000FB01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.743{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-92DA-6149-CA2B-00000000FB01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.738{5097E253-92DA-6149-CA2B-00000000FB01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.286{5097E253-92D9-6149-C92B-00000000FB01}3527596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.211{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43A93C984205485E9957FD6620EF990,SHA256=53F7C98F042461134E740B1C204B77C0CE9FC194150CE2F7D341CB82ADC05E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261042Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:54.243{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2744FFB6E5DA1E3B2829F19799A7945A,SHA256=AD7F505F36B586BBB992960ECFD5AC458CECA857D81411FC55467D7880778B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.125{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-92D9-6149-C92B-00000000FB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.123{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.123{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.123{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.123{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.122{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-92D9-6149-C92B-00000000FB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:54.122{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-92D9-6149-C92B-00000000FB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:53.963{5097E253-92D9-6149-C92B-00000000FB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261047Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:55.962{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0300DA07316CD1F05FC89EBC6ACE3A97,SHA256=190676FA5D22AE7E1A0F6E4F7717EB24A5E4A0D728ADDF9FA5578C91A0CCAA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261046Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:55.649{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD37A23296018965448B0AD4034058DD,SHA256=86F19E9DE79A34FC5FD9B19B2C86B0267A426F82873E000407215094D316EFD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.608{5097E253-92DB-6149-CB2B-00000000FB01}40446796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.457{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCEA7E92F6894DF9A2682716FAED7FE,SHA256=DBDD978A8B6D013F08B2BDE68E6D8C264C71A39FDD3C167770FC59E61B2212E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261045Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:52.673{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50904-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261044Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:52.453{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55201-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000299181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.425{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-92DB-6149-CB2B-00000000FB01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.423{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.423{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.423{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.422{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-92DB-6149-CB2B-00000000FB01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.422{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.422{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-92DB-6149-CB2B-00000000FB01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.416{5097E253-92DB-6149-CB2B-00000000FB01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261049Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:56.696{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C39F6AA4D140DD312D883EED815F6C6,SHA256=A69E6E5DA5C71EDC3C1077D7D8A03D7B0B111B3EF0FF84C5ED022F34BC2AD1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:56.463{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB117842AA7C0CE95DC48A2AE94133C9,SHA256=35A9EF44D549828EF065F48CADBF1BCCD135B0968ECF055F85607772585A7D02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261048Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:53.806{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56651-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000299192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:56.245{5097E253-92DC-6149-CC2B-00000000FB01}32805548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:56.096{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-92DC-6149-CC2B-00000000FB01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:56.093{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:56.093{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:56.093{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:56.093{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-92DC-6149-CC2B-00000000FB01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:56.093{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:56.093{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-92DC-6149-CC2B-00000000FB01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:56.087{5097E253-92DC-6149-CC2B-00000000FB01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261054Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:57.743{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C326756E9F4FCF0E6F9F3949C6A4F1C4,SHA256=66EDC54BFEC2ADED42D35ECD3991BAB5463CCF1D442D14EB98E331BB3ACE27B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:57.468{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D146DABD87D3BC2E4344786250E8FB7B,SHA256=689C9886795A19571F21BB86B48B6034E815A3B6CE2E5F0260C8E5A1B82CB70E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261053Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:57.462{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56F1EC4F0A4C45AB8F1FD73DA1E3DB05,SHA256=4049E87F6DC0E2C2CBB99855D0A7FECB4687D6FBCEA1B6D4282BD4F8563251CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261052Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:57.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261051Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:57.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261050Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:57.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:57.325{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 23542300x8000000000000000261057Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:58.899{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E49129CD64C41929EE32E67DC4F126FA,SHA256=765DC3B6C39D90AD8F6D50F6F99B549DB09A7C08F4834184C12031F56B564091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261056Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:58.806{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96577F9059C9C2E5987117EE5C0810BF,SHA256=FF99888209F57FD4892867646950ADB7DA8E6FF6AD8CEA65DF5ACFAE591C5085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:58.474{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE94676E524A5CF504D3AFAE76F31A81,SHA256=3B0BA2FC9C834FA6407C9452DAEAC61BF70D7F63738860346BD574CF030B9A1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261055Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:55.674{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58406-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000299199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.856{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64143-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000299198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:55.856{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64143-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 10341000x8000000000000000299197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:58.128{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+fdc990|C:\Program Files\Mozilla Firefox\xul.dll+fcd08b|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd4837|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972 10341000x8000000000000000299196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:58.078{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 23542300x8000000000000000261059Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:59.837{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1795A64A9BB05FF0FB98FBD9B53A102,SHA256=2F0707F8A29ABD862AB70950779C46DF110063E198F0577CED81F9FB4CB5DBEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.993{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-92DF-6149-CF2B-00000000FB01}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.977{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-92DF-6149-CD2B-00000000FB01}4292C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.977{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.977{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-92DF-6149-CD2B-00000000FB01}4292C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.977{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.977{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.977{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.977{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-92DF-6149-CF2B-00000000FB01}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.977{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-92DF-6149-CF2B-00000000FB01}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.986{5097E253-92DF-6149-CF2B-00000000FB01}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.962{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-92DF-6149-CE2B-00000000FB01}4104C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.962{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-92DF-6149-CE2B-00000000FB01}4104C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299248Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.962{5097E253-92DF-6149-CE2B-00000000FB01}41044464C:\Windows\system32\conhost.exe{5097E253-92DF-6149-CD2B-00000000FB01}4292C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299247Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.946{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-92DF-6149-CE2B-00000000FB01}4104C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299246Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.946{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299245Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.946{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299244Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.946{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299243Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.946{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299242Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.946{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-92DF-6149-CD2B-00000000FB01}4292C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299241Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.946{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92DF-6149-CD2B-00000000FB01}4292C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+2011fdf|C:\Program Files\Mozilla Firefox\xul.dll+2011df5|C:\Program Files\Mozilla Firefox\xul.dll+2011e41|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+14a9f5|C:\Program Files\Mozilla Firefox\xul.dll+14c453e|UNKNOWN(0000004498B34A10) 154100x8000000000000000299240Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.947{5097E253-92DF-6149-CD2B-00000000FB01}4292C:\Program Files\Mozilla Firefox\pingsender.exe92.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/464d4058-d7eb-4a1f-85a8-775e44b834fa/event/Firefox/92.0/release/20210903235534?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\saved-telemetry-pings\464d4058-d7eb-4a1f-85a8-775e44b834fa https://incoming.telemetry.mozilla.org/submit/telemetry/da46da14-f8dd-4a95-82fb-6dde5825492c/main/Firefox/92.0/release/20210903235534?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\saved-telemetry-pings\da46da14-f8dd-4a95-82fb-6dde5825492cC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2MediumMD5=8A5233CE7A88489D05FEF9BB7AE52572,SHA256=0888DF51AA62CAF8E02C97564FF4BDCEDCF8CC0B6091753F7D9D4389689BA825,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x8000000000000000299239Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.945{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\aborted-session-pingMD5=EC8154A1C1F326E152E8DBE1C06B9A3D,SHA256=E2142CA924484D28E16277A91D060CBB14627256985AA1C0A2D65979960B7513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299238Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.893{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage.sqlite-journalMD5=3930BACDEB0F540F600BE7CC4D9E014A,SHA256=1AAE55E0BCF417718DD488204B3F18989DFB11F46E27180724EE49C6308FA5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299237Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.878{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\xulstore.jsonMD5=C8205907D75EEEA04C6ADA656FF382D3,SHA256=9BB92ED57A3E74FC0E0E333AA502EF83C4195B7BABC563361ED3EEEC6C0F00AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299236Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.878{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cookies.sqlite-walMD5=5D062711F0D0E5B6F9BFB78BDA950BE1,SHA256=B2233BB000BCDAFAF77F60BF1960D0A85A6D1A28C89B4EA3D0DF3CAAA4892F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.878{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cookies.sqlite-shmMD5=EB1EB7FBFC5F9994E021EE674EFD5DB2,SHA256=23FB39D874DEAD1F5742BB4EAD6A0A8D699599A803FF81C4309ACF91037E8FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.878{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\favicons.sqlite-walMD5=74A61B33CCE5F77E665CD462C6FE251D,SHA256=EF713973116F103676DC96A88375D4A3DB9107436B4357EDB932A2AE2A56BA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.862{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\favicons.sqlite-shmMD5=AF1CC02D1F054D28A80B962BCF40D284,SHA256=4C35688C2F8617E37BBEA6B3DA45575E5D200CBCF52D5BBDA228810F994DEDC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.862{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\places.sqlite-walMD5=CCEB98871EE5D527E5D1706E8E095ABA,SHA256=D8159DACD5F366546ADDAC3BCAD5F1F73BA94DA78E48361CBC1A0A2613EF1C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.846{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\places.sqlite-shmMD5=C0ED8685A85CB1052C4B98D9FC452BB5,SHA256=8713D1C9E4AAB0688C970170EEAC51E0A189B0DB4EEE7DC0A42248FF76DAB4E2,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000299230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:07:59.846{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.15.162853451C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000299229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:07:59.846{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.14.87887294C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000299228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.827{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+13b3ea|C:\Program Files\Mozilla Firefox\xul.dll+1272353|C:\Program Files\Mozilla Firefox\xul.dll+1b6754f|C:\Program Files\Mozilla Firefox\xul.dll+1b5e39d|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000299227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.827{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+13b3ea|C:\Program Files\Mozilla Firefox\xul.dll+1272353|C:\Program Files\Mozilla Firefox\xul.dll+1b6754f|C:\Program Files\Mozilla Firefox\xul.dll+1b5e39d|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 11241100x8000000000000000299226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.827{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\SiteSecurityServiceState.txt2021-09-21 07:22:51.976 23542300x8000000000000000299225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.827{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\SiteSecurityServiceState.txtMD5=99AB33F75369B1D7E11047D3B5153C9D,SHA256=12ED92CB6B5995AFCDD39716FEAF2F6FA826EF84E97FE91A06AFA4BEF52D3249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.827{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000299223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.827{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\AlternateServices.txt2021-09-21 07:22:51.960 23542300x8000000000000000299222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.827{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.827{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\AlternateServices.txtMD5=3ABA6D5F4BD1DF95A21AAA32240472AD,SHA256=0CED017E5952AC706CAFA09E2049FB713EC34072D7379EEF0224CD461A018D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.812{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\startupCache\startupCache.8.littleMD5=A2DAE3763A5C2A53A8C03EBE325F5B83,SHA256=08A9CFA58C2866A669610FDCF674C2B42AB29285F4028D7F26935828897F858C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.804{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000299218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:07:59.801{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.13.123565409C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000299217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:07:59.801{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.12.106860375C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000299216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:07:59.797{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.11.73167292C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000299215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.786{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000299214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.786{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000299213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.785{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000299212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.785{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000299211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.784{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-92CB-6149-C62B-00000000FB01}7004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000299210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.784{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000299209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.782{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-922F-6149-AA2B-00000000FB01}4144C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.777{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\sessionstore-backups\recovery.jsonlz4MD5=B320489589E53228CFC9916ADD0D4C69,SHA256=3325B40D91EBD1267CF319DCB822DF38B8CF56090FCB6768833A370E83F25600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.776{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\sessionstore-backups\recovery.baklz4MD5=A44E7A576D0ED29532CC63F42FE95592,SHA256=A07280C781E14722E205E501D707EE8D6DD83DA3E2B0B050B3816DCF7E9D940C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.774{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.755{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.752{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.703{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C83B589A89F101599F439ADB9CF97ADF,SHA256=D122031DC20398F199376345E23E2478EB381F3E87E967577CBCBE80E45615E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.701{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2173B2F70AD27AC9FAD784D72D26C157,SHA256=1725CF2E65E572B0E1AD4C7890EE4257DD0CA1816F94EE3B1C6398DC40EAA852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.482{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44E648FF0FEE7CB26491F772ACE78AB,SHA256=9D5C7FBFD809FB1FB6A17AED9F2F83032B4ED36CE613BA5696B53ADFD90861EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261058Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:57.067{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59915-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261061Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:00.852{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5E592D58EFB82CEB394ECB064EC4D2,SHA256=C1188EA47B201C324FD7EAAC5D7E3C728751821667BCE032FD99CF1C8933B85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.865{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8B20188DB1A0DB0C79A1460791DA93D,SHA256=80BAC704A65337762F2264BF2E78BF523503DE3C56B1D03EAF494461A4DB409A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.771{5097E253-92DF-6149-CD2B-00000000FB01}4292ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\saved-telemetry-pings\464d4058-d7eb-4a1f-85a8-775e44b834faMD5=02D64A408F7A00020EBC7DA4F4C351E5,SHA256=2547C25BE5D5BD3EC3C570EA36E5D48EF41347FF3778222353E10EEE54226CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.490{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF387C1A5D82D15E51274D7B4A1BB591,SHA256=2107E7A00AA9D6F455C67E2F3F81D04EC6DF4A3ABE43793A7B6236CFD4EEB9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261060Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:00.587{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=942597407B1C7B8E5220CD1B5309BAFE,SHA256=7E12B2BBDC205E421E41FF892527A43523C5893ACFB59A8E498019B1A7A4A76B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:57.435{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local64145-false142.250.186.42fra24s04-in-f10.1e100.net443https 354300x8000000000000000299272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:57.371{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64144-false10.0.1.12-8000- 10341000x8000000000000000299271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.046{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.046{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.046{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.046{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.043{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=1D7C39686D92EEF280D0614AB86E2B97,SHA256=E18F88046E7962B6F9A1F2CACDE1F7FE2E72A5F1FB7C47CC5080F639D16A1087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.024{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DD1D8872A250F8F96D5293EDD5D44C,SHA256=14FBE5CBEE61ECD34C5F7A39FFE547E0166A3C9F6E264A4AE1ED8EDD30AA8596,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.009{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.009{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.009{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-483B-6148-0A00-00000000FB01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:00.009{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.993{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C83B589A89F101599F439ADB9CF97ADF,SHA256=D122031DC20398F199376345E23E2478EB381F3E87E967577CBCBE80E45615E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261064Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:01.868{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4810A110BE1D18114C093FF9CE88F9FC,SHA256=1B091FC14C2B5658D086875E6608231720EC2DDD78221C6D0E0417CBE770FC69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.880{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+4906a|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.880{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e6c3|C:\Windows\System32\modernexecserver.dll+1e7b1|C:\Windows\System32\modernexecserver.dll+3ac16|C:\Windows\System32\modernexecserver.dll+22087|C:\Windows\System32\modernexecserver.dll+29989|C:\Windows\System32\modernexecserver.dll+2c80b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000299291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.849{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000299290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.802{5097E253-9226-6149-A12B-00000000FB01}4420onedscolprdwus12.westus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000299289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.792{5097E253-9226-6149-A12B-00000000FB01}4420onedscolprdwus12.westus.cloudapp.azure.com020.189.173.13;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000299288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.771{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3A8FEC758AC058F09BEC376ABA55CE2,SHA256=FB5C5B8DA67664B2D32023FCE65930DFFECFE9A3ECD5A35C7CBB209F6574399E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.662{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.662{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+2a5990|C:\Windows\System32\TwinUI.dll+2a80aa|C:\Windows\System32\TwinUI.dll+287b97|C:\Windows\System32\TwinUI.dll+286ff4|C:\Windows\System32\TwinUI.dll+287217|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000299285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.662{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+58f0f5|C:\Windows\System32\TwinUI.dll+287c5e|C:\Windows\System32\TwinUI.dll+287b71|C:\Windows\System32\TwinUI.dll+286ff4|C:\Windows\System32\TwinUI.dll+287217|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 23542300x8000000000000000299284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.490{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7944779BB4960029BDA9AE59499EB2,SHA256=CB18AC36378C63A61D3C6553F530D8DAE877E1FB543097B181A71584CAAFBA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261063Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:58.610{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50905-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261062Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:07:58.469{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-2436-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000299283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.369{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local65134- 354300x8000000000000000299282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.344{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49433- 354300x8000000000000000299281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.343{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61693- 354300x8000000000000000299280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.117{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60821- 23542300x8000000000000000299279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.240{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6FB14E1B936C7F3466ED02BB34C40077,SHA256=F31C26ACB7B1F08F47FCAC83A992526E18C891104BDA2AA35764975EC0430C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.224{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EF635F035E243446AC3246A7BD0DB1CC,SHA256=01FFBCD54375E6D6B028269DBD9C184555E4587D420DFC7962831123A0DE2BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:01.193{5097E253-92DF-6149-CD2B-00000000FB01}4292ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\saved-telemetry-pings\da46da14-f8dd-4a95-82fb-6dde5825492cMD5=3463AB929748E77E24C52961FC1883E0,SHA256=3B96809471FF46033EBBB400290C4AE8B1B906BCFDE9A4C40D2DB352CE3502AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261067Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:02.899{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55F77323142894B044134D8F25D635A,SHA256=3C581D49ACBCF49BF3D43A02639C883283E465F67B73202C2F70F06E64A81BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:02.505{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7087DCECBD47D358D527C65E5F86978B,SHA256=EF402CD116710CFDC016E1858643E4A09AE67828B1E7509B658D342698F50CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261066Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:02.165{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D423F567EEA60CE6677DFD9A0B2F6D88,SHA256=04020B312DB9F59EAC935CA5FE292B706DF7209F2B4993850D8CB7D95BB3B795,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261065Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:00.166{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4098-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000299294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:02.005{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000261069Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:03.900{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB430251555FA6BF71EA21A8BFA1B21,SHA256=13C40A12FF2A7C34815941526F8A9703B658B3103154DA98BCFE4552C707581D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.732{5097E253-483C-6148-0D00-00000000FB01}9043652C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.732{5097E253-483C-6148-0D00-00000000FB01}9043652C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.732{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.732{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.732{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.732{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.732{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.732{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.732{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.732{5097E253-8792-6149-A129-00000000FB01}43164828C:\Windows\system32\sihost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.670{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.670{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.670{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.670{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-929C-6149-BC2B-00000000FB01}5772C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000299333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.513{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CB5B1C859ABA073970FEAF057B667F,SHA256=2403776CF50847ACA0350E78BB119CA9E8FF91B98DA649DD63AEE6546F344314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261068Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:03.227{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=95BBB10857569A335EF4A77571A04E17,SHA256=B9FE9169F8BB338C2037C4368CFA2FB63D55955307302B414260BE0E072C8EF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.373{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\TwinUI.dll+381436|C:\Windows\System32\TwinUI.dll+38153b|C:\Windows\System32\TwinUI.dll+37f40f|C:\Windows\System32\TwinUI.dll+1ee2e|C:\Windows\System32\TwinUI.dll+1e6df|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 23542300x8000000000000000299331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.373{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D01CF0368EDB6C17D5F2E792B8D4B0,SHA256=32FDD63EC5812E81FEA822208C7F937F51639E4CCD9C38A5F1715DC36767F2FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:07:59.523{00000000-0000-0000-0000-000000000000}4292<unknown process>-tcptruefalse10.0.1.14win-dc-966.attackrange.local64147-false35.167.102.239ec2-35-167-102-239.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000299329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.162{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.162{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.162{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.146{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.146{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.146{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.146{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.146{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.146{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000299318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000299317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+2129ac|C:\Windows\System32\TwinUI.dll+b7750|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000299316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+2129ac|C:\Windows\System32\TwinUI.dll+b7750|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000299315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.130{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.115{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000299304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.115{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.115{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.115{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.115{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.115{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.115{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.115{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.115{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.083{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000261071Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:04.916{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6363209559DBA067526F4A17174FE3A9,SHA256=30B9981A85333F337A395CCE7482C410A07793A3A4FA261146BBDBF1E1D4F6F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:04.701{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:04.701{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+106d66|C:\Windows\System32\TwinUI.dll+fcc75|C:\Windows\System32\TwinUI.dll+feecd|C:\Windows\System32\TwinUI.dll+17f1e8|C:\Windows\System32\TwinUI.dll+1539d7|C:\Windows\System32\TwinUI.dll+253f8e|C:\Windows\System32\TwinUI.dll+37e6ad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 10341000x8000000000000000299349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:04.701{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+106d66|C:\Windows\System32\TwinUI.dll+fcc75|C:\Windows\System32\TwinUI.dll+feecd|C:\Windows\System32\TwinUI.dll+17f1e8|C:\Windows\System32\TwinUI.dll+1539d7|C:\Windows\System32\TwinUI.dll+253f8e|C:\Windows\System32\TwinUI.dll+37e6ad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 23542300x8000000000000000299348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:04.529{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30660D4CD06C52DA918137FDD92477CC,SHA256=04900AA352489E3B78F554E19B14E316CE54AA1451F35A55514FB9F02BE49C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261070Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:04.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40F74EB90F4F9B80E99AA3AACA05B4E2,SHA256=A2272731CB17036AFE95F782F4A11107D5CEEA72C4BAD42FFD1ED2B85B697231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261074Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:05.932{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E0EE14D7EF3BF972053BFF15AB741F,SHA256=E52D076D8932216F767D30F24EEDC59A9D8024E4DF42E97C6FF1C11B2DBEF560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:05.545{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6030A8AC83A1FA9CF4FADD4EBCD1C0,SHA256=FA09914EA6FEF8976CAE213F7930F0E7A4465E37226EDC0B8936B6DEB8C5B2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261073Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:05.478{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=276EA3CE7268B8A5715044DE90A5BCC1,SHA256=08BF766EC54EAD809DDC3FE755BB001732BD9705A965699B4404C4F92E5630E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261072Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:01.800{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-5727-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000299352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:03.344{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64148-false10.0.1.12-8000- 23542300x8000000000000000261076Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:06.963{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874A0AFE84A9D2D70F1F72F28BBB33E6,SHA256=543ADFAA65AFCFDB846640DD639B80EF49F8F905E1A84D19C77789EA392C554D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:06.560{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C388C42854A288243E0EF48527F72D9F,SHA256=108593797FA9B8FE91B21DE1580A0445F13197A3198885E9CDA1C893E8DE965F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261075Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:03.682{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7617-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261079Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:07.994{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAB68222A905FFC4F36A0F01AB261ED,SHA256=7389853B7B357EFC3DDB9CEC15747E6EF375AC85B9A4E197613F9873B73E4C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.638{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1030A081656C3B393E6DAB9BD4754657,SHA256=AAA45BACC1B4221EDCF1B2EEDBC10F72F43FF2558880D2702F3DC4B949A7FE59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261078Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:04.518{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50906-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261077Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:07.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20A94092A8E6F4B85663581867D47039,SHA256=F9D71EB142808F0104E5694117F40EED52AE4AA312F67EE4BA69D1FBF6F8C75F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.576{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.576{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.576{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.576{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.576{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.576{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.576{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.576{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.466{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.466{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.466{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.466{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.466{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.466{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.373{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.326{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.326{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.295{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.295{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.279{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.279{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.279{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.279{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.279{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.279{5097E253-8792-6149-AA29-00000000FB01}48165736C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\SYSTEM32\SndVolSSO.DLL+bf8a|C:\Windows\SYSTEM32\SndVolSSO.DLL+c112|C:\Windows\SYSTEM32\SndVolSSO.DLL+bb05|C:\Windows\SYSTEM32\SndVolSSO.DLL+7c7a|C:\Windows\SYSTEM32\SndVolSSO.DLL+1355|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000299355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:07.284{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,soundsC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000299395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:08.670{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE8D95359484C48567C549F6BD6222E,SHA256=2FF2F5E05E17755C5575821BE4F0B516A57F8191243361DBC8587DB0849D0E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261081Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:08.900{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86DE94F34DA69F2BE4BFA97F726D62F3,SHA256=54F8DC7B6AFEAFB641584E239C674A177B66B9F7F39FC42541088AC48363E769,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261080Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:05.360{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9135-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000299394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:08.279{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E809895341D9B0B1C51836905408AA34,SHA256=1B3E329A928491C87AB7A82D107FE0273A236CC704CFC83AA75560A7E6134D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:08.279{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=152765FA6B0FA38E62A9F4CF8B593788,SHA256=7F10B3015A4DDC878B28BD17704EBB11190DD8A6138D9421C925E13E4E25B74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:09.685{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901EE5E453B56570BC31F735297D9D7A,SHA256=B37A375DCB25AF600DE8AE09A8C008A91520AD1E8DAEE20985CC591F7F197E0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261083Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:06.799{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-10799-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261082Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:09.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCAF7C7BF416AA02169BF3AFC5B9C6E,SHA256=1C71DD9B08B26730E690F6C15EF89A38C3E3F0092E2A3D5C7378D50CFC600544,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:08.344{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64149-false10.0.1.12-8000- 23542300x8000000000000000299397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:10.701{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B076B292D885425B6C7ED237373B3A82,SHA256=A989C9E603BD1FCD5D299F0CA7DF18A49DAB7D97FD01898F40DB2441B78A56DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261085Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:10.260{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D572DBB81AE341F7CD32D5CB04E6D538,SHA256=15C2B761BCE32329F42176AED74919D1ACEA84D8FB16C2957287C55C3919445E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261084Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:10.135{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF64C9A5230CEAB5485292CB48011254,SHA256=4D4E8FB85BE6ACF4CCB8350C0E50C20750FD1899B7A1D4F6881182096286D67C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:11.701{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E0F06F5A62451E87D4F71C43A97414,SHA256=DE260CD0A558D69D27A63ECA8591E29FC4C97641769B55FDB76D200AB5F2D696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261088Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:11.713{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D7AFA38E7230E6B0F0D8C2F0C703B70,SHA256=A15E4C3A43E58FA3296F1467384F05B080F3DF5DB2B99F48C0DA701EBA19E75C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261087Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:08.467{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12450-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261086Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:11.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8023AF7673E10ACE5AC887AA9C3962E,SHA256=26E6237966881BF56C69E37C77B092492F23B6F032925D4D160B27B9237A829C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:12.701{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5766831CAE07D846132191D4E04CA4AD,SHA256=271D9B8C9F176A8C5BD5E2797D538F1AFAB08B0E2BBD33C99E28C6C9D619FA77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261091Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:10.533{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261090Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:09.811{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-13922-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261089Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:12.260{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7632BEEE603A65BC9D73FEEEF494A2B9,SHA256=B69169C5F5A8747162E1B322FF33525958BC4369FC611DFFFD96AA301DC6026D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:13.717{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D1F6F6162928D4EF68E7F600BBE23F,SHA256=093273163C55F8337E16329BEBD7768A1F3CE82F63D9AF3244C68B25FC7C23A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261094Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:11.284{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15387-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261093Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:13.275{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA8C9F4B1457D10BC6B149D80695552,SHA256=A8084C8D0EE1CEA369DD8042A848FF8F93C08F217C1260EE194ED48B6902BB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261092Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:13.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00CEEBF9BAB4AFBF9F753C58DDD19910,SHA256=C1615555A91B0ABC6F3BD04DB6FBA4DF6652E658029ECCD7EDD7499C5596FCF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:14.732{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B191A0D19C3921B3EA8C557D9E1D45,SHA256=E5EF696815D5D58536E1BC96CB1CA90EAF6EDCBF3D34CD0DF00E3720B90EF439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261096Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:14.650{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D38E4D626EB3EB6849E39932BD7BF58A,SHA256=D6439855B82FFCAF7DA4E19A8DD385C449F9DA017A361C0349029EDA33486C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261095Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:14.306{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF542738AB3948BB55148ECE3D42C20,SHA256=A289D3590E84BFA47F7FB0696C7297966AA495E28D3CACD3C44888AC02AA4D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:15.748{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79431CDA3AE81E10B9D821083733DBFA,SHA256=ECE39E82613614B007B31FCB16E3109B66485CCAF1B2E93BC7B9526BC8CCA386,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261098Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:12.656{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-16781-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261097Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:15.385{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A0C28449D04D83120A447EB07A8436,SHA256=01307542180FA963898310E3B117A82919E7BAE288BDD4D3060EEB828824C9EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:13.500{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64150-false10.0.1.12-8000- 23542300x8000000000000000299405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:16.779{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FF14EC9AF977B0AD49FE006AD44291,SHA256=99B99D98CEBB79ABBADF2784279521AC895FD7B6BF2D091CA947FD76670FEC82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261101Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:14.294{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18352-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261100Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:16.447{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C20BD448DA1E0E5F61128B456B2922C,SHA256=CA8F035AFB5EBB61519DBDCC809E0698FD757131A5DC3C065836681CA12034F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261099Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:16.088{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82E33444766E0FA31844C1E4D6ACC0D6,SHA256=82FBE2A150042255F07D5D9CB140D47B20AD9E8594751441FC7550843A033E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:17.795{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBA240AF7E5DBAA29ADF0AEBFF22AB6,SHA256=2EC407DDD6A5415E0D093A148D79A14F9A8E88A2764BDABE1377131149EFD362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261104Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:17.650{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DEF85614664D40BD94E139E7E589910,SHA256=5163D635C66C200B68C98BD160B5F15BB194EC4BE30BB3C550F1EE6AFD321498,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261103Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:15.721{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261102Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:17.463{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106B1A2944523951B1387718567CFE12,SHA256=49BF70A9D3DA404D5E050957138222C907ABFB64C3A4A425FD0D7C72C5F21552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:18.810{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CAA65A6EB786A8438421267BCD36D1,SHA256=7931874DC368DB0593CEDBCA2A1A692891D95D7CA416481D5B545746E2652345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261108Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:18.853{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=796E55B9D736C0E236C72BD5BA980C94,SHA256=C963839A23034F265F5075AA5D0F532F9B917E90F2D92EC6D319B80793270E72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261107Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:16.529{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-56191-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261106Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:15.801{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-19785-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261105Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:18.478{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DB2BB5ABD312E2B4B39E7391766FB0,SHA256=87A246B877606C84338227F7B69CBFB7778668D24BCA6D839C9209B33F63CAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:19.826{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A471F6DC31C3C79034E710F19E6F36,SHA256=92BF332CD1A1F6FF11DC57838D36DBB74BACFA5FEECC5CFCB83BDCC124C4FCD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261110Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:17.213{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-21384-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261109Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:19.494{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A99CB0B51D28F4E2387FAA106942BC5,SHA256=0AB1148EA710378E6220FA3F690A0712A290A608D9B5096B0B9824DF7560A340,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:17.089{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-56903-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 10341000x8000000000000000299408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:19.107{5097E253-8792-6149-A129-00000000FB01}43168100C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:20.826{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE95B29E1A8AA3E0AC428C203DC6918,SHA256=081C0EC175A90B6B3F3E7607CBA7776E4DDE34C31662CCEB34A7157C5113F518,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261127Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.900{C189DCE5-92F4-6149-4627-00000000FC01}32682084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261126Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92F4-6149-4627-00000000FC01}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261125Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261124Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261123Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261122Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261121Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261120Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261119Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261118Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261117Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261116Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-92F4-6149-4627-00000000FC01}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261115Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.728{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92F4-6149-4627-00000000FC01}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261114Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.729{C189DCE5-92F4-6149-4627-00000000FC01}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261113Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.697{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE15620AAB92771F741275F20BC239CF,SHA256=DF6BDDBF3E09A42F3BB114646203EACE3EA272DC66BE515AB6B57CC0AEF492A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261112Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:18.726{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22940-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261111Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.525{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AE313A6802B261BCA71CF0ADCE414B,SHA256=335D202B4C912695BCD46C34E61144ACB8AB88829ADC06CCB7B9DF964E0545AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:18.547{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64151-false10.0.1.12-8000- 23542300x8000000000000000299413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:21.826{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911F91649BB946EE50D69EA9080A20BB,SHA256=95C19444EDB7CD394FBA02E3BA23CD4093667DDCDE017767032818CACED6AAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261143Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.869{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46BE7E48EEB557BBDA20A847498EEB2,SHA256=B94F851FCFA1BFFED2AAFF16CB905C831C3832DA60200CABAA24F5FF4B272887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261142Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.869{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DEBACDAB19D0D32A4B00312991602D,SHA256=02796B32F8BFEC96001C637B433E4EF3E64414AB56614AD400DFCCF2B7B07AEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261141Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.556{C189DCE5-92F5-6149-4727-00000000FC01}25482416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261140Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92F5-6149-4727-00000000FC01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261139Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261138Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261137Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261136Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261135Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261134Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261133Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261132Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261131Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261130Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-92F5-6149-4727-00000000FC01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261129Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.400{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92F5-6149-4727-00000000FC01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261128Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.401{C189DCE5-92F5-6149-4727-00000000FC01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:22.826{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A806CB73CCCFB644B52B2741D7B36107,SHA256=9BFEBED99EAC59AA173276F23707AA8C100EEF80AADED22161606268EE97C4B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261170Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92F6-6149-4927-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261169Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261168Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261167Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261166Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261165Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261164Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261163Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261162Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261161Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261160Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-92F6-6149-4927-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261159Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.744{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92F6-6149-4927-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261158Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.745{C189DCE5-92F6-6149-4927-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261157Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.588{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDC02449A081768CFF0DBD847293974,SHA256=25A81DE4B1A37DCB72A55A52DF5835DA1442652A175A2E3B5571C2B28C77675B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261156Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92F6-6149-4827-00000000FC01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261155Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261154Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261153Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261152Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261151Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261150Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261149Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261148Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261147Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261146Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-92F6-6149-4827-00000000FC01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261145Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.072{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92F6-6149-4827-00000000FC01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261144Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:22.073{C189DCE5-92F6-6149-4827-00000000FC01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000261175Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.719{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26045-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261174Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:21.689{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261173Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:20.250{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-24463-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261172Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:23.592{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA74816E33ED4A4DA398AB47D28D0172,SHA256=AEE1C6894AC35159091241699E57141A7095D526C60DE10151A6FDDF9FB1C3CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:23.232{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:23.232{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:23.232{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-92E7-6149-D02B-00000000FB01}6764C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000261171Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:23.088{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C318275EC435F9C8AE0B88CE8D070F28,SHA256=D2859DB51843912701F20A32FE365C6104A8709C9CCA75BFB8D9A11982068DFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261190Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.732{C189DCE5-92F8-6149-4A27-00000000FC01}29401276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000261189Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.638{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D146319F59271303702601C0C26C858,SHA256=33F04AB8921E2D6EC6C79B833FB0E2CC659F49ECCB84295E31457014495D4935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:24.049{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A84EF25E846708DD9F1CC2EBD6A7ACE,SHA256=B33B47A0A7829726EC2692FC9C01BA4CF95CC335D216FC6464240EDB066FE96C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261188Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92F8-6149-4A27-00000000FC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261187Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261186Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261185Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261184Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261183Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261182Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261181Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261180Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261179Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261178Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-92F8-6149-4A27-00000000FC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261177Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.576{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92F8-6149-4A27-00000000FC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261176Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.577{C189DCE5-92F8-6149-4A27-00000000FC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261206Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.732{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8FFD8F0D99916E666AD92C152A2788,SHA256=2E710A323310C55BB95A468848F8047B6FE640E482E0D38E35751AC89C4C971A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:25.080{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0E3C70D47BDBE3DA050306E672C7EF,SHA256=5DF23B9B3A8E5BD9233609F2FB030F22F16CA101550B82EC775E68CBC72319AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261205Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.388{C189DCE5-92F9-6149-4B27-00000000FC01}33043236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261204Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92F9-6149-4B27-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261203Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261202Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261201Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261200Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261199Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261198Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261197Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261196Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261195Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261194Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-92F9-6149-4B27-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261193Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.232{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92F9-6149-4B27-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261192Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.233{C189DCE5-92F9-6149-4B27-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261191Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:25.170{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E75444D4C71E589121B84438B652F88,SHA256=6E323BF5020B515D9DB3D0E0A14E78E2AE6F894E734A4FD76A1316ABA21BD85D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261223Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:24.803{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28960-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261222Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:23.268{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27555-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261221Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.795{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EE6CA499B62FE750D6F6909EB7088A,SHA256=A6A94928D583DF9DF41A54F65CE18CFB5BE309AF178A53CD81CB920BE84574DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:26.142{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E517BE3F337B3B5E1BACADBB41CC8731,SHA256=58983707DC24C4D466B0596A5F6747F96E4D18C956273DD295D4D495F9962872,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261220Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-92FA-6149-4C27-00000000FC01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261219Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-92FA-6149-4C27-00000000FC01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261218Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261217Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261216Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261215Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261214Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261213Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261212Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261211Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261210Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261209Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.482{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-92FA-6149-4C27-00000000FC01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261208Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.483{C189DCE5-92FA-6149-4C27-00000000FC01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261207Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.248{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=556DAE9FEC70930503B0DCFFE1F4CF7D,SHA256=133CE5B824C499E867FB39079423B7C77F18FAF6948236532703CA2A42580324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261225Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:27.826{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540AEF335772792B6E1134EDF0830460,SHA256=05384B35439ED89A004048365CC82A2B6DEB57485C086686FB2A9E3ED6EC5319,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:24.457{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64152-false10.0.1.12-8000- 23542300x8000000000000000299421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:27.142{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB8AA612409EFEE20388482656221F1,SHA256=BD4F40FE7FC42DBCBAA7BF5AD2869845BBBD826211B4DDE604973DB10D7FF8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261224Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:27.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC14409FC3334520EE24FF45A4C1148,SHA256=B64ABC3B7D45FC0AC3FB591B96162F17DE53787485A277A1549AF57380720B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261227Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:28.873{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A29F12847FA9B345468D591A1D8AAF,SHA256=44CFBC1C2EB098EC908D71022A5834519D0C4512FBFF8115DA9293638C9FC278,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261226Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:26.167{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-30386-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000299461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.861{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.861{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.861{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.861{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.861{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.861{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.861{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.846{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.846{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.846{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.846{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.846{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.846{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.846{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.830{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.814{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.814{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.799{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.799{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.783{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.783{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.783{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.783{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.783{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.783{5097E253-8792-6149-AA29-00000000FB01}48165736C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\SYSTEM32\SndVolSSO.DLL+bf8a|C:\Windows\SYSTEM32\SndVolSSO.DLL+c112|C:\Windows\SYSTEM32\SndVolSSO.DLL+bb05|C:\Windows\SYSTEM32\SndVolSSO.DLL+7c7a|C:\Windows\SYSTEM32\SndVolSSO.DLL+1355|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000299425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.794{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,playbackC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000299424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.642{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BD421FA3171C0DA2ACB04187D0D32126,SHA256=A0F6C193AAACF0EA71C83983EE7D4CDA97343BC3ED54093583C1BFCF3F869219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:28.221{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D930569ED862FD5BC2BEDAC8AEA831,SHA256=CB428986FBDF30B4A780B3172C94202CFA52E0078ED5A92923BB507A6E2C5B3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261231Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:27.615{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50910-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261230Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:27.613{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31761-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261229Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:29.888{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C282C06416C73F56D82E116D908B097C,SHA256=BCAE4E9B5089B3BA8B5A554A0F5B2177FE37A1A4CE825F5EBEC760040E9A62F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:29.783{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7225702CB6E06EAB8C6E6878B6DD2517,SHA256=C0223E5D2B259D0C33860C9B6F3D035A9D056EC79D6655E656BBA7CCE5DA78C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:29.783{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E809895341D9B0B1C51836905408AA34,SHA256=1B3E329A928491C87AB7A82D107FE0273A236CC704CFC83AA75560A7E6134D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:29.533{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4BC7E570F2BAAAE668996096421F63,SHA256=43D4F31AB012D2F58066405B96233C365E434C46D00D2B9FC1C9F1F66F6C799E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261228Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:29.748{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=325FA44306AD959946DB0624D4863D33,SHA256=FBC2DBD69FB460797EB4CFD94A98B451FB8D1C16A1E6B8CA587D564B2B95D043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261232Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:30.904{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9032AFF21DF90A64387E2BA8F20AD5F2,SHA256=1AC97A5F9BA1EE1EDE5F981B6B0D501144E60956A637AB42719B88DF2246939B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:30.533{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EC973649DA94E7C71B0C1791EC20E6,SHA256=C6844DAFBCCBE28E8E6D22CA82B8B7EA109008BB1C40A7CB34F82D2B701C7E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261234Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:31.920{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9F923D11E0AF69A1DC52452DB42C64,SHA256=FC49F9D0A5B702D0FAC6F90BCA0440713E7CA1968FD2B1E9E0AE7DEBEE391BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:31.549{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F43A5A4459803BF7823353C659DC462,SHA256=86C441E193CBD1085DAF1D35DEC4A081C34B0C62C12B27319D6FBCE6F0F7276E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261233Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:31.248{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=166BDA9D4474AB59D96DB5178B7E8CE0,SHA256=A39820C94B43E49324A52B09F330F0884D833323C48021389FA6052BCB587831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261235Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:32.951{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD2D21529E91D532746AE59F9969719,SHA256=CAD1B264CE396E30AA6FD3423C4BFE7E0669ABBB885DD001AEFACF00B266972B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:32.549{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6303B2CD1366518DDEA65E05D4D7354,SHA256=F0743B659B3D03446EB767FC5FF0E84A7C63D7985800DA94430025DB5B9A8342,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:29.473{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64153-false10.0.1.12-8000- 23542300x8000000000000000261239Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:33.951{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5F2B2301960E0498D74A265228A93C,SHA256=A426EF9E7AA0599CA4B1BB95B05571CDC1A0BFE68A9A964DE6E8CF482551F571,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:33.689{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:33.689{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:33.689{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-92FC-6149-D12B-00000000FB01}5220C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:33.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:33.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:33.549{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934CE8386595D731B8880D3B5CF98F48,SHA256=BA2E8E660D79476E890DAD5349C27BE2A343441AB7F2A7DB573AB9289FEBF4BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261238Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:30.948{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35033-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261237Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:29.300{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33459-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261236Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:32.998{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CBA91B410539AC8C839F0D01C26EA1D,SHA256=4CA089053ED0CD0635B04FAF7C792421F3204C2804884F636A2D4D4D6FEA14E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261243Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:34.966{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F574506ECA3E6AA239C143A4D2CBA88,SHA256=B90BE9C1789BA9F32B964C97A073F02ADCCF0A0C5D32FA44F71963EC8DF7AA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:34.564{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94758AAA073A969A1F9A6C11468D561C,SHA256=A4DD6A54B64811B3AC3015049663AB55A0C56A2FE3DFEBB8082CBC0B5087E693,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261242Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:32.631{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50911-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261241Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:32.549{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36741-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261240Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:34.341{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86FBC0568618804551F9BC2FE42B314B,SHA256=81050A36D0BF33677B1895E3AD2B4CCE6B7FC4196179EDFD7792FDFB64725E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261246Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:35.982{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3289C8DD8601AF7638A77BDFD63C73E2,SHA256=43B871C68B93C358491E8C2D7F5F08ADE8DF3BC658318587F80906C19E36FB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:35.642{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=03784A6CF877374FA3D661A47245A345,SHA256=17B494DBCEDB199B37106D8E2C7D3D205AF0EFEAF209D3E97D8A3CB900E87B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:35.627{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-4839-6148-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000299476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:35.564{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFA0D666FA2D4AC501694EFDD027FB1,SHA256=C5F27B3D2AC08F76301EC6B18319877A6E11A5E47FD1E6CC46CE8DAD7808C56C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261245Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:33.915{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38234-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261244Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:35.763{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0596F855E20F793AFB60A3AFC06E96D,SHA256=7B541568AEAF77E3BE87B5930412913CB10850158D8176FDD95D3709FA9ADC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:36.642{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27D0393CA423920258D01F587299B870,SHA256=60FC8AE929AF694CB3A5D5183ED90D3A866229A60F2279EF98F3ABC5CF76C5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:36.642{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7225702CB6E06EAB8C6E6878B6DD2517,SHA256=C0223E5D2B259D0C33860C9B6F3D035A9D056EC79D6655E656BBA7CCE5DA78C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:36.627{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22CD05172C80BFA4991A56DA7E240E9,SHA256=A62D9EA38DA9E501E5A4B7A9CA8B80BF112F22FCF1D7AB97918D15B0FC965DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261247Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:36.341{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:36.471{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.767{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\TwinUI.dll+381436|C:\Windows\System32\TwinUI.dll+38153b|C:\Windows\System32\TwinUI.dll+37f40f|C:\Windows\System32\TwinUI.dll+1ee2e|C:\Windows\System32\TwinUI.dll+1e6df|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 354300x8000000000000000261250Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:35.459{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39701-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261249Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:37.248{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7978DCD9BD6A5614AA818FB3EF8F1AEB,SHA256=CBFC44487332903CAB45034D28E91CEC1C2199195D0EB331E8A614C709DCD8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261248Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:36.998{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503D8BA68BAC25D0B0A77D6B2FDF11C6,SHA256=21C3AFDB8174BC1A735D9A8DF456BD83BD6CF428A2ADD3E8A1ABA92F8E67D7D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.564{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.564{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.564{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.564{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000299518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:34.945{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64156-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000299517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:34.945{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64156-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000299516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:34.842{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-966.attackrange.local64155-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000299515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:34.842{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64155-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000299514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:34.835{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64154-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000299513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:34.835{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64154-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 10341000x8000000000000000299512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.533{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.533{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.533{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.533{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.533{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000299505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000299504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+2129ac|C:\Windows\System32\TwinUI.dll+b7750|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000299503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+2129ac|C:\Windows\System32\TwinUI.dll+b7750|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000299502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-A129-00000000FB01}43166336C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-A129-00000000FB01}43166336C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000299494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000299491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.517{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:37.486{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:38.799{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF174919A84475693F4AC4A1F5C42D0F,SHA256=24EAC05AC39AF54EFA65B419F07FBB94BFF47ADE07834017611EAA37981F9445,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:38.627{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:38.627{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+106d66|C:\Windows\System32\TwinUI.dll+fcc75|C:\Windows\System32\TwinUI.dll+feecd|C:\Windows\System32\TwinUI.dll+17f1e8|C:\Windows\System32\TwinUI.dll+1539d7|C:\Windows\System32\TwinUI.dll+253f8e|C:\Windows\System32\TwinUI.dll+37e6ad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 10341000x8000000000000000299528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:38.627{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+106d66|C:\Windows\System32\TwinUI.dll+fcc75|C:\Windows\System32\TwinUI.dll+feecd|C:\Windows\System32\TwinUI.dll+17f1e8|C:\Windows\System32\TwinUI.dll+1539d7|C:\Windows\System32\TwinUI.dll+253f8e|C:\Windows\System32\TwinUI.dll+37e6ad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 354300x8000000000000000299527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:35.770{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64158-false10.0.1.12-8089- 354300x8000000000000000299526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:35.488{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64157-false10.0.1.12-8000- 23542300x8000000000000000299525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:38.002{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F88C2E03CE18CE5A5EE566C0DB73FC9,SHA256=B9856678CB818FF820D00555CC4DFD004A57D48BA8B5D97C30EAC11EC3B7556A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:38.002{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6291873BD0E5B426EAD7BF5B18D84A,SHA256=B6132AF129A86D4EF6F1A074BC16486D71D7E5A76FC639343EDE83A7B47B5D31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261253Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:35.803{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000261252Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:38.732{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57613175D2578BA5A613BA9C88F9C8C,SHA256=9D78DF52123ECAC5284867A9EB23273580892634F1612E8E6D0A451BF9BF2F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261251Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:38.013{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFA86C6AFDD91BAD909BDB93ECDB94F,SHA256=BBC2E9C6AC5963457C3FA7FAE21988602A9B6F440D8CA0190AE90A994E298C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261254Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:39.029{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B9D949078A932954A7A7E0E87C181B,SHA256=E97A1E40CF7223016995EBE15E833FE114906E5EF44CE7F1BCDC969FB7723B8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.721{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.721{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.721{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.721{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.721{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.721{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.721{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.721{5097E253-8792-6149-AA29-00000000FB01}48164396C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.705{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.674{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.674{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.658{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.658{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.658{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.658{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.658{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.658{5097E253-8792-6149-AA29-00000000FB01}48165736C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\SYSTEM32\SndVolSSO.DLL+bf8a|C:\Windows\SYSTEM32\SndVolSSO.DLL+c112|C:\Windows\SYSTEM32\SndVolSSO.DLL+bb05|C:\Windows\SYSTEM32\SndVolSSO.DLL+7c7a|C:\Windows\SYSTEM32\SndVolSSO.DLL+1355|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000299532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:39.663{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,playbackC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000299570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:40.658{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27D0393CA423920258D01F587299B870,SHA256=60FC8AE929AF694CB3A5D5183ED90D3A866229A60F2279EF98F3ABC5CF76C5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:40.268{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84171457831F36FC00B83CEA3E88CD65,SHA256=8E9E0F74F5C5FDB6BAB8D4688E6933A28C42D162702B30591F58A6AF31BE505D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261258Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:40.107{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EEFFD9C308855BE5CDBC75BBB980F06,SHA256=FD5882FA3821C24A688FFB678925FDF196F19EF2D7CB009E6F8FA24FCE37A5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261257Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:40.060{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26183F07DC4A9CECC932E65C839B9DB,SHA256=23F0D625AB524630006C3CEDEADCF92489074E5766665D7260048D311C83DB8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261256Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:38.285{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42726-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261255Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:36.804{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41207-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000299572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:41.424{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773D4CDD32E755E3A51E00540E81966A,SHA256=981CCE71F4A82B036D69BF8F5DA851BE4917ADA638750A22FCA3759CD7106F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261261Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:41.623{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACCB7D3F19C1C22EF13FA3AE90D500E3,SHA256=B6F9C4CD3D173B2531AA40C164F101DAB92ED6F72C6C1C72350EE8B9088B3724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261260Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:41.123{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE6236646DAB6D222CBF32EF7A2D6A9,SHA256=037A4F2081F074F02020039C29855C2993A2A41D9C2752F3A450272AD8D72999,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:41.064{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000261259Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:38.506{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:42.426{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6759AA1CE2B8F8D14435D3313FBB654,SHA256=8F61C627B72CD5BA3E6D4FA76AE4DF25352AD9173C7FA780EC0F7E1097379B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261263Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:42.138{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E4AE8388C5B47F5EAE7F7672C45ADD,SHA256=E98F7EB921424888333C90E0187723560B6BE161AE1C56D654BC99113033B071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:42.397{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1375MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261262Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:39.714{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44161-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000299577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:41.474{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64159-false10.0.1.12-8000- 23542300x8000000000000000299576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:43.427{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8266314F7BA0DA98EA4375DAFA8D551,SHA256=1B3019438E5616E3379025D0ADDF62878B90CEA0844A18FD6C5E630F20A80808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261266Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:43.154{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7352CB6755F88D70DE3AE40FA301EE,SHA256=C3B34E67DAC9B907D5BD85BFB681A88ADB7C0BE426882697ECECD38FD15C892A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:43.398{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1376MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261265Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:41.264{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45717-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261264Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:43.029{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B641BB2C72D13EB5F715A610E608FB03,SHA256=C6D66393E438D74AC407896FCEC57F7F9B6C70BE7874FACB3DE71C85B9580C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:44.477{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC6F5F2EF124595BBCDF2CE145FF276,SHA256=26BE3E94E9F814BDDB68A70F5685F1432D943B5E7BC5D65ED3BB608CC5B9A833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261268Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:44.472{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D0E775EF64098CD23F55BDE3820BB2B,SHA256=124EEBD645320B1417ADD78EF319D740788D0CCEF5CE07D12BEE01C246309853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261267Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:44.175{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6BDCE9316BC59FFCAAE254AF27688E,SHA256=B82AA8DD088704517BB0F0F1CDF65079F4D4485B521572000A84A28E075120FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:45.493{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CC7CF539194277434D3FC0C7DA0901,SHA256=EF59486FAA96BAD119A529DB84B6F4564CE6E6F697ECC448CA7EB8D6506BF2C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261270Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:45.894{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7D5D0D6FCAD81642DD9AD67CE060856,SHA256=E70AF6C3DF21FDBA3D1A73740FF75612EA060AE439AC4D5553294EC83F48384F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261269Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:45.175{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59BC641842E682BDC5A94AA06A185FD5,SHA256=2D9885D1A5A82E9C6A0188B61C8F468A364AD42436B477148E4B4630F74C5194,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:45.477{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:46.509{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3904D4CF925B4B9CE44ACA00A0450A,SHA256=1C589D06137D29BAF8FDE985145CED621B86A6D4D5CAE38B7DFF9B3D2E8BABB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261274Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:44.527{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50914-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261273Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:44.025{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48717-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261272Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:42.582{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47260-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261271Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:46.238{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E962CE69039951E15DA56D8CE5826F,SHA256=141B89223BEA1C02BA08655A481E32F295A2CAEBF13AB8E173B646D4E25D542A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:47.524{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E269293FB670D11D050633D531CA435D,SHA256=F79D8E7BBD69DE33AE42E2A63390F4B3AC949CCA9B3E10E5B2D0780979C95023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261276Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:47.410{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C9AC1A4864A9076A9829BDA31408346,SHA256=147AF6E508F93F4D85947E52949CA341F11A2463B8E1B0D2B8271E5033776157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261275Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:47.253{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC40577EB2311E53DB5D2EA7B07C72D2,SHA256=52FA4325BEEABFE5511C79941365DFED2E0FDAF04B0071B68B58359E81AC650B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:48.852{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:48.852{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:48.555{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E36B6482577A62201181D39A04D659,SHA256=C78C5F01EEEAE74B8D34C180432B7C79F5FA125C7C1A2273C6FF892EB911C2C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261279Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:48.894{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C549610661B081EE4966A188A00C5863,SHA256=D42CF565FDCCAA40D76AB712B9D8D360FA8D197663D5F7302D318E0A79AFAAA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261278Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:45.488{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50191-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261277Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:48.269{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7BB6004B7D06C20AD66046A6F21EBF,SHA256=96C8446DC994E62EE0703F2CF1DE05078DF01D07EA5BD6FDEF419287A60FFCE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:49.712{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:49.712{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:49.712{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9307-6149-D22B-00000000FB01}1448C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:49.696{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:49.696{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:49.556{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8D764BE7552C3D502ADC74D7C0FB9E,SHA256=B01C9DBE326F8780023AE1AC6C12E844AA6952AC37ED6215FEF7AEE87CCF6ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261282Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:49.586{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1367MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261281Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:46.966{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51770-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261280Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:49.271{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9E1DAF83036454B5F9FFD1988F32FA,SHA256=6D733DD5000D518FDD307FDAB29A08CCAF9B619A93030452ABB8810CB612252B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:47.370{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64160-false10.0.1.12-8000- 23542300x8000000000000000299592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:50.571{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F0C14B86E3CEF6881A0914EC065EDE,SHA256=58FB346A8A1FD535C7D422E7597B45C4205BFF0D818DA0681FF28F679D7768C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261285Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:50.600{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1368MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261284Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:50.286{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2752A666496F0D8B77CC807BC17B4616,SHA256=C6C664C9698E38CBEFFC0100071FF25E5065DAA1891CAD19846A8B31E574E893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261283Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:50.271{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F67C6290297538F6292B37433C15412,SHA256=92E0CB06E935221F5E3F7E47AAAD810EB19C97A99A589BB713595ACEF142C0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.852{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A5DE9523233CAAAC83D6432298B259,SHA256=BD2FAA64AE8A567F58C5B9B5CDDB694900FEE98F1746204C47D263E7EE1845B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261289Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:51.761{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5B081A98F5F3B000C73786D7F4A9AF5,SHA256=FF0F17731E438E07F92D376846A36A66EE5F8C30807FC5C7ADE1F2835079B4EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261288Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:49.732{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50915-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261287Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:48.500{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53298-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261286Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:51.292{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D341A92B085464BE8329E908A260DBB0,SHA256=E22A91AFF7413FF754A9905429E88775BC3F7DD9BBE6B3DB738489B01DB3D258,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:51.165{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.884{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FD7B4271AF96D04DFB9D3A4BD88236,SHA256=805C06E1834EA9CBF89CE6C8124F989AC7E2C9B6536074CAAF3C54114AEE49F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261291Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:49.886{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54811-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261290Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:52.323{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02867C24378E94EBB511C915B98CEC5C,SHA256=ADB3C664A593ADE89122D2D16205750448E293ECD51C6A8430114B4BB5B28794,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.743{5097E253-9314-6149-D32B-00000000FB01}9487640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.587{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9314-6149-D32B-00000000FB01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.587{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.587{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.587{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.587{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.587{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9314-6149-D32B-00000000FB01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.587{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9314-6149-D32B-00000000FB01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.588{5097E253-9314-6149-D32B-00000000FB01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:53.884{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B722C6597F39EF7E0EFEEAB1F88F589,SHA256=482B47125E2AF0395E2EB0E64C48BFA7B48DDA6495FCCAD2163E654BDB3323AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261293Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:53.386{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC5471E758A16593BFFA15FF027625B,SHA256=7E8D5DD68619740CC2210BFDC994FEAD6C68985200A3D90CD85CD934F09C7FA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:53.509{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:53.384{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9315-6149-D42B-00000000FB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:53.384{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:53.384{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:53.384{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:53.384{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:53.384{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9315-6149-D42B-00000000FB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:53.384{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9315-6149-D42B-00000000FB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:53.259{5097E253-9315-6149-D42B-00000000FB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261292Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:53.167{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E1BBE7AB56B6C49D694B5D4F2BC64E,SHA256=8DBC3C2FF56CCB53BADD18FD7A6AF6C64C0E084E7429A251A1DD0F404B69E333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261297Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:54.808{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E88589F4B4E2AD0443DE7291CC9BAB2,SHA256=66DD9F61659E71400B4A635B9278F7BC733F3FF685C7BACDC3F460A91F4EC5AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261296Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:52.807{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57833-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261295Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:51.313{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56271-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261294Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:54.417{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905C8B19D62C2035322A25E66D4E70F5,SHA256=AEFA92AA703F93CAD5A13B4819C00DE7BC1B99AE8157C99E7FA222024A8CB79E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.899{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937DF55CA2182F7B3470073382125207,SHA256=FF6DC44A45A5915577CCB1F0775FC98853426DF7D08C6E57213197310CDC89AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.884{5097E253-9316-6149-D62B-00000000FB01}25326932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000299669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:52.573{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64161-false10.0.1.12-8000- 10341000x8000000000000000299668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.727{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9316-6149-D62B-00000000FB01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.727{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.727{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.727{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.727{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.727{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9316-6149-D62B-00000000FB01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.727{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9316-6149-D62B-00000000FB01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.728{5097E253-9316-6149-D62B-00000000FB01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.196{5097E253-9316-6149-D52B-00000000FB01}60927632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.056{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9316-6149-D52B-00000000FB01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.056{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.056{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.056{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.056{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.056{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9316-6149-D52B-00000000FB01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.056{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9316-6149-D52B-00000000FB01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:54.056{5097E253-9316-6149-D52B-00000000FB01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.962{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8403723AE387160EB6152CC78A7D5C3,SHA256=A06050431CC4E0FEFA95C2F1FF8E010B0319C61D4632F3BBF9941E7E9A9AFAEC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000261308Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:08:55.870{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000261307Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:08:55.870{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05049b9e) 13241300x8000000000000000261306Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:08:55.870{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb7-0x89cc6b15) 13241300x8000000000000000261305Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:08:55.870{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebf-0xeb90d315) 13241300x8000000000000000261304Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:08:55.870{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec8-0x4d553b15) 13241300x8000000000000000261303Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:08:55.870{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000261302Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:08:55.870{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05049b9e) 13241300x8000000000000000261301Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:08:55.870{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb7-0x89cc6b15) 13241300x8000000000000000261300Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:08:55.870{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebf-0xeb90d315) 13241300x8000000000000000261299Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:08:55.870{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec8-0x4d553b15) 23542300x8000000000000000261298Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:55.433{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C61BFE8B480524495DFD5E327BF7038,SHA256=816030F5D2B603666C504C7D36F16065DC82B6DCF64B01D6F62AB564D35A1D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.946{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9317-6149-D92B-00000000FB01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.946{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.946{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.946{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.946{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.946{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9317-6149-D92B-00000000FB01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.946{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9317-6149-D92B-00000000FB01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.947{5097E253-9317-6149-D92B-00000000FB01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.446{5097E253-9317-6149-D82B-00000000FB01}42083784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.305{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D9E28301E4819C0BE525E780E89DC3,SHA256=A5B63A362D58EFB84156E12F550A52AE28DC38BFEA9CE8B3E7616A1D9054B302,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.274{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9317-6149-D82B-00000000FB01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.274{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.274{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.274{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.274{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.274{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9317-6149-D82B-00000000FB01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.274{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9317-6149-D82B-00000000FB01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.276{5097E253-9317-6149-D82B-00000000FB01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.180{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.180{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.180{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.180{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.180{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.180{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.180{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.180{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.180{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.180{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.165{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.149{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.149{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.134{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.134{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.118{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.118{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.118{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.118{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.118{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.118{5097E253-8792-6149-AA29-00000000FB01}48165736C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\SYSTEM32\SndVolSSO.DLL+bf8a|C:\Windows\SYSTEM32\SndVolSSO.DLL+c112|C:\Windows\SYSTEM32\SndVolSSO.DLL+bb05|C:\Windows\SYSTEM32\SndVolSSO.DLL+7c7a|C:\Windows\SYSTEM32\SndVolSSO.DLL+1355|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000299672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.131{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,playbackC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000261310Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:56.448{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B78D9A8663684B89445075B8E2178D,SHA256=C4933350C2CB6345BAC84236B583F533D2BA90B9BE8CA7F6D81169C1044F5FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:56.149{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D3D8AA434954B4E70D448A28D2447E4,SHA256=5165EF2CFEB46C056C344929E5205236547605846040CE67CD138A6C4A1578E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:56.149{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F6AD28D812B5067AC23BD628DA0859,SHA256=2682938CDED3B2B13CB552EFC8AE2709E0AD472F82B140CF053F7462E65F717D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261309Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:56.089{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E9874E097497C77B7D4C12F5D0E0EED,SHA256=3B234BD7AF8BECD6782F4A2359F84FE6256C0D25387377546F80AF2C9DDBBE25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261315Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:57.839{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1D94B8193DAC2C385EBB677DA38ED96,SHA256=67AAD9C8910255825DE4E70AA85113549171F32A10A710F0D1275E33452FF8D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261314Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:55.824{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-2020-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261313Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:54.738{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50916-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261312Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:54.361{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59388-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261311Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:57.464{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6025B313F0235B104E95E8D25BC9199,SHA256=E27382B361DEA8A19776B499C8938C4C9B26D3B71F374965D808C5BBFE0D3F13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.870{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64162-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000299731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:55.870{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64162-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000299730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:57.118{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAD4F52379F928E2207858426D04D76,SHA256=87DF4E813A58E8076595D45782A965D74D8B29E1D03E8A41AB12D82A0209DD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261316Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:58.480{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3A3FE263A353539259745D867ED955,SHA256=FD4BB9FB5DA73217F4F699002169299EB2165A73EA3B780B316D759AEFFD83C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:58.118{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0D642ECFD345B8A136578D23ACEF37,SHA256=45EF8F7E7853EDEB1B5173DCE6F72EB309BAE5228580CE03A6BDE9BADB7C28C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261318Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:59.495{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012F5A204F5474A213ABC42614383305,SHA256=CCD6EC34402F95B3DE2089D8BF16374213E4AFDE0FC589104EAB97F2045DA9A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.555{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.555{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.555{5097E253-8792-6149-AA29-00000000FB01}48164708C:\Windows\Explorer.EXE{5097E253-9317-6149-D72B-00000000FB01}5996C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.134{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91057E1F0248F25201F68EEF49062F41,SHA256=3C1CD13192F2D17E9BAA59277457A038842A4444A65D415D98BBC933E392049C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261317Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:59.370{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB2770D19599FE501FA79DF9A291183C,SHA256=C81E9876E6E0FEE77438F9CB2428A05DEC1D64D59F6AC4D5AB349B2EB6760BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261322Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:00.761{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3801F08F1A9BC1A2E1F9A183DA1AB839,SHA256=CF0515D3CF78E0D1918C1AE34597FA70630E879047DF6163D736E2881C854596,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261321Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:58.952{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-5214-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261320Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:08:57.507{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3594-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261319Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:00.511{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB252CF2081FC660B9BFB9588B36E538,SHA256=C7FB50D4ED890A4CE295A6F6BD7C7240EDACD2018804D4478D5D2F6C8D25C7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:00.149{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BFF947C2989C6820C56281F1B2D423,SHA256=835F2A6E8B2B6AAD524B90EAF4E95572535B74C83DF1352B92E1B6BDC7A859C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.993{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-931B-6149-DA2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.993{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.993{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.993{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.993{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.993{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-931B-6149-DA2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.993{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-931B-6149-DA2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:59.994{5097E253-931B-6149-DA2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261323Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:01.511{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7942C2D0C249EDF850EB34CBA12B05,SHA256=06AFECFB2EC92A32C330F7724924F2970E097B758521CA3A8AA5786DAB2240DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:01.165{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DA02F74EE7A4D35CA75889ED866BF2,SHA256=A1DB03B071ABE45F527030AEBCA3FA0E6A4AD331AD36C1D917B32547E63641EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:08:58.542{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64163-false10.0.1.12-8000- 354300x8000000000000000261327Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:00.722{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50917-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261326Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:00.330{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6652-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261325Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:02.527{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919D42A374187408F1BAD31231D5BCBB,SHA256=A994B88C6D92634F5A9911D8F2C281525780CB351B8019CC2181D1B97C628DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:02.181{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD87729A93B047597D84790F3879CAD,SHA256=2C37E88F61A23CBCBBAD5DEB2708D51FD4D9AA0D2B9088035E04057B057AFC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261324Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:02.323{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5E9E0A46624FEAD758E836C2965AE22,SHA256=AA39B461001E8DBBB2FA6747CEFDF11FB20FD20BA88CEA6C14F613883A8681A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261330Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:03.811{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F175796F94CE206C1E07A06FB711AD,SHA256=7F6172DC23D54F60414D087B40B724E08D7CA6092E6C0EA347FAAD3579C2F713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261329Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:03.546{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ABD1C766AA5F62BAFDA9E55FFD2E2B0,SHA256=BA25655C53B212E391F2FAD6260534F78D795F179A605AAD766CE2E21EAD8937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:03.196{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9DC57B9D47D56354EF6A3A55E5E805,SHA256=043CF2F4DD11711FB1EB5FFCD83CBAE87CDC3501613E4A30BD2F0AD7D0C96381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261328Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:03.230{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5914CFFD01F1AF5EEFA674AA7D772DE4,SHA256=E6A782B6F0D19BA7878A801273240A849C4904B69CFE1691752BC12762D992BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261332Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:01.954{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-8331-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261331Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:04.577{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72CE2DF5F370B11362922E669022076,SHA256=129015AC9663C8C5F43AB90F9795D543E982888D4102D583AFE623EF47248CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:04.269{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581D8EED95C4A51D3AEEDEE1B0817872,SHA256=EA6BEC9A0219C1E380B42D6759032C34BE61FAD021660071CDF7DFE955B74AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261335Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:03.406{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9907-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261334Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:05.593{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EBF4AE3045858C0131A4A7874BAA51,SHA256=12E95C649783ECE99A02DF371F96B2379DC274847D48A53AC63FE42DCCB2F92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:05.285{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9EFF86C6BCA293A7F030E25195E383,SHA256=14383F190DECB3B3B0BF2B4070E44E23D94DCF0A83871B7684DDAC451D302E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261333Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:05.296{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DE96E68F0E078C27F7383FFE65402DC,SHA256=7BAF1A60FA872CF44132239DAB5F73F3074115ABAF94C60642ADAA681048B63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261337Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:06.702{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3AF713EF35A5E958EED8F92353DC351,SHA256=BEC4F2C2A519F1783025088776649C900C2AF7A7953D6697B543B29B032FCFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261336Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:06.593{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D15B5A8EF36C8CCFC1062E4AAC737DC,SHA256=6C29CF1F4A2302AA239428234C3205F983F61B0BAC3ABD012296BB1E79C20D2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:04.505{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64164-false10.0.1.12-8000- 23542300x8000000000000000299753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:06.300{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9507721DF56EBB77116CB96609A4D6C9,SHA256=759AE54DAEA43D5D9BABC94D5BFE98CE09BDBFCB768FDE1A561EB5A1FCA2E574,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261340Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:05.726{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50918-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261339Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:04.890{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-11484-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261338Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:07.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB38A1F62D7599F7E737B4BF0E8CE73D,SHA256=3D7141E40F8CD9E41D34BA17D7E7B9990C6A481CD2417B535DD84D0D5BCF2669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:07.316{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A812BBB061D90494C9AC872339FB168,SHA256=CBEE9180A3F1C71AA3E8B390409B82F64C7C5212A2FCD7C768A4C02C3704009F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261342Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:08.624{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1974EEF353ECDB09DC0722B0B8BA9A,SHA256=3CCAB0E735D2C7B106E0890C2AA5137BEB7ADEB20D81DFE542F6C8BFD77FEEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:08.363{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B4D1F714033D4D9738D4295BDF4E01,SHA256=0212E8CA2CA6F3F32B29C8255A2A595B4E0DC0FCA7974D9BD5B83CBA90C636B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261341Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:08.171{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C770AD32B8FF866AD901841A62B75B51,SHA256=02BCF537F01071B2B71B452352E22E7FE1C7BAB8CEF309B753E99A415CF304E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261346Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:09.686{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01287C4EF93327D0762D588696100AAA,SHA256=DC8FD8DB2B1120D2DC24E0399DC0AF55DA883C5BFD25D65E67EB0F6935A90538,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261345Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:07.786{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14466-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261344Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:06.333{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12989-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000299757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:09.378{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7374978BB336E3E861C0B043618E131F,SHA256=038DA9EEC4F901B2F3C190D035902D47052885353BD683038E692765E4C8C569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261343Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:09.640{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EEF93AF108AA03816577975C727A264,SHA256=51BAFF40F34B05B742AAC9EA4DA786A1805076C2CB843CAC9F8A7237703E4ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261347Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:10.718{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A027EF73386B49676AFCE4F42CB945A9,SHA256=3644F0F083EEE55FAB50E15C586F5E17CBDE2DF370620EDE257EEE2EC7ADDEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:10.425{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD8ACC36A0EFE63C873A034F639582D,SHA256=BCA6E33DFF675362641880B7ECCFC1D3AE58D1D285630BC11395A9A886562F7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261350Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:09.285{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-16122-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261349Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:11.764{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C858F05E18BC907D884FB026F290F7,SHA256=B1AD3B61090D71566FBA0CBC8E7467F0D256800D5D218ACE5D2B800D4598A171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:11.426{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5977ECE526C8793CA16B4B5D30C386,SHA256=9061CCCE8DF78BF05F19FB05EFF8D2E75DDA5689A82CD6B00D8461C45B8C5EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261348Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:11.280{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11132CB30BC33D71E1CAEBF8D43697B4,SHA256=F93552805ACD0EF1EB249C409155A2314CA95ED1B01ECFE299248D7A5349A25B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261354Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:10.893{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17705-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261353Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:10.741{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50919-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261352Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:12.765{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A72D7734E1C92A30341F2A5E53E53C1,SHA256=0C6FBE9E7307BDA474F5F23C1C9A584A136BD77697D594DC38BB01ED155114F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:12.441{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20088B6D9EA851785D76020D1AD03B90,SHA256=DFD9B41B9EFEA23F1A5B1A7CBE662C84B5BE716E38C61244F61A6EF1757B71EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261351Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:12.733{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=719092D924DFF257DBFC9360D848DD7D,SHA256=5E34C6B5E69DED757523BA6D22426C0E20BDDB02EF38BAA608C76224A7879A9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:09.536{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64165-false10.0.1.12-8000- 23542300x8000000000000000261355Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:13.811{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6379481B1B3F42EAFC5EA347F4E84685,SHA256=D537BE8CDE60B19CC08D01443BA45D639F54989700F9887403F20E4D9A81E3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:13.441{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F36E5983DB08FBB5FD8119CD1B8C723,SHA256=596E066DA6AD3DFBE583E44C99CA82AE4D2578BD33EB9C7BF6F15C062E2912ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261358Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:12.519{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-19296-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261357Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:14.843{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AD52A8E3121D0292B02A126AD31524,SHA256=5AAB148AA3A85A1FCC9CB39E7C24D48314D38B95A2F94005B137EF357C95D471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:14.441{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440A386216D2156F9CCFB359FCC05BC7,SHA256=2AF1857383D9463866A0524DBCBEE50A1198F2D98B3E6CEAB85803621692E011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261356Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:14.702{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E75ADC121BE1288BFD9A453B56C9E8AB,SHA256=339F6F064F6198DB68BF452EA931CA1196B1DD8064990AF5E6FED56D40021107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261359Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:15.905{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92183D45B0006696303EAA2EF6988003,SHA256=311A2C5DF593B6B3E8A18A9F25DC3163ACB802E7E3943814D690144C6C9E127C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:15.457{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1130D050B78821CA813B141BF02140DB,SHA256=76A9FAB32127E6C78DD99E214E09898F9764C0EF4D6439A52385A8F8794802C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261361Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:16.921{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B7DE2D1EE649BD88DA3A4AF5157672,SHA256=8105D816221BF6C7618693932A0F3DC0C52E3842851CE80C2AE861A13E2B44C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:16.488{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2088B0938D1A510AF4EE36DD79B45B22,SHA256=26AAA64B3F85028913F441EBAAD1E76098C52F4C45CE8F39D193DEB1A6687857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261360Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:16.264{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=703316C6BB018027FAE70E88105B1150,SHA256=EA0FBD0B5700DD428C0A7D3F5652814C8A4125DD11A2088EFAE715C544F9E42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261363Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:17.952{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5328517932E04ADDE5F251CFDDEC81AF,SHA256=BB307ECE7DEF36D539937EDBB09C29A4ACD00077427D0590EEE82A42687DEEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:17.503{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31E5CE59F7D06761AE212986B9BA7A7,SHA256=70390086BE65A46ACB8202617936854753E923765DB13FBAC3BFD2E76E6AFFB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261362Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:17.889{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F35DBB0A9BB6A7108D21E8822D39EE2,SHA256=6C460E10BD8E4E9721E146422F39A6AEFDCB056BB80E106554EAE51B7EA162A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261366Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:18.983{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E664E1235CD1232879D6D2C26219D2,SHA256=EF8B0044CA054C236AC6FBBA7D3697AD2FF9FBB1D42596877D460B5E9870492C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:18.519{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4BF08DD9160830D89893FC7065C331,SHA256=7C3E4E546BFBD0BEEC38F202ACADA4B355B228A4D382928BE3DD52972B4A71BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261365Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:15.895{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22954-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261364Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:14.284{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-21249-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000299768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:15.537{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64166-false10.0.1.12-8000- 13241300x8000000000000000299767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:18.019{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aebf-0xf99807a7) 23542300x8000000000000000261368Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:19.983{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEFED37BB0276BA28CFD99A50F5707D,SHA256=82F211CDC3FF3CEE79CB1F19A221BBD36618B1637339367674012C766CCC358B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:19.550{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EAA4E5489EE77D4F6B0E7CEF3F022C,SHA256=C4825FB8E01D48E2A3DAFE52E257769E6F6AD342D46F035656497E9AEC3DEACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261367Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:19.311{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=629D84F09C2C7F392ECF368AC4F53733,SHA256=C09A36307FBB03F2D0B3B73674F4365F4BB65BD2A5F62546C471CAEEE013A292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:20.566{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3653228E4DE0A8EAFD56A46D10B81CE3,SHA256=4DCD2B7BDE031462F5C75C9153FE24E5D59ED4CF9F46F3BD3A58C57E6E61BA78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261385Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.921{C189DCE5-9330-6149-4D27-00000000FC01}1400656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000261384Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.889{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6EDC586B68946A77D192E2EC8423F09,SHA256=71939A5B49BA412BD371A5E9D038F70013FF97EDAE5AA2A108D06A395E14BA02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261383Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9330-6149-4D27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261382Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261381Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261380Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261379Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261378Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261377Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261376Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261375Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261374Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261373Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9330-6149-4D27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261372Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.733{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9330-6149-4D27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261371Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.734{C189DCE5-9330-6149-4D27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000261370Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:17.456{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-24569-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261369Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:16.491{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50920-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:21.566{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F908CED4342A1EC241C07FAB3D6CCF7,SHA256=1527FF0574969248289C9CB08540DAD7AA2979B45B6E6EFA9A0D906E1CF86D88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261400Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9331-6149-4E27-00000000FC01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261399Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261398Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261397Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261396Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261395Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261394Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261393Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261392Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261391Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261390Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9331-6149-4E27-00000000FC01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261389Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.405{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9331-6149-4E27-00000000FC01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261388Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.406{C189DCE5-9331-6149-4E27-00000000FC01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000261387Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:18.964{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26172-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261386Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.999{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CE4A6E6FEE572923C92ED25F0AF48C,SHA256=DCEC417F58891B618C34FF35CE5A66BA6704E8E4124EFBF83E1FA7DFDA0DDE92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:22.581{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F786E93964819B2D94DFC429629834,SHA256=E30971F096008F4854A9AD5B3398673AACE9DFC0A083B0CB5BBEC3F04797C96E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261430Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:20.441{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27820-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000261429Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.905{C189DCE5-9332-6149-5027-00000000FC01}22083700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261428Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9332-6149-5027-00000000FC01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261427Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261426Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261425Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261424Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261423Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261422Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261421Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261420Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261419Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261418Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9332-6149-5027-00000000FC01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261417Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9332-6149-5027-00000000FC01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261416Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.749{C189DCE5-9332-6149-5027-00000000FC01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261415Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.343{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=999117384E5B315DCB50B06B4AC51AD3,SHA256=327CA6BC6BD600976B873C0EC522CB4C7E2E08E3D6DB7AAB7CF868B2AC5D5DF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261414Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9332-6149-4F27-00000000FC01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261413Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261412Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261411Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261410Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261409Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261408Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261407Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261406Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261405Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261404Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9332-6149-4F27-00000000FC01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261403Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.077{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9332-6149-4F27-00000000FC01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261402Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.078{C189DCE5-9332-6149-4F27-00000000FC01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261401Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:22.030{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EF5F9843C307AD7545D58D36465973,SHA256=ACEDEEA9AE77EDE6CCD8D02A5451A4131F43BC99F40A8C5E7AFFED8D4BF9C7A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:20.335{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-57809-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000261432Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:23.706{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE4B33AA899791A83297654B4A092744,SHA256=DEDE139CE33FDCCE75BDC554A55028B74707C87FE4B7361EBFDE4151AA469078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261431Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:23.503{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90290C287844694EFF6C594CA0ACC21,SHA256=D601C6524A3A837F39A105A823AB1C7BA0DE2066016BD2F3435D1082AA4A60FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:23.586{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD23D900B3ACC9637D013419A4B6619,SHA256=6EB772C69E649589A10254E0898A6D321400A7F4F3FFE74B6AB5208B2E732B65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:20.552{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64167-false10.0.1.12-8000- 10341000x8000000000000000261449Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.737{C189DCE5-9334-6149-5127-00000000FC01}720936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000261448Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.596{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9100F74AD6ECB520A21BDB8B5B0EADA2,SHA256=735E876EA3FE20F94136901DBF3CE541A35BDA93B8579C864597550C061BAC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:24.617{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE2ECC9E3B337FB7260D923846ADD63,SHA256=9FD19E6C441EC92DA521B09A187CC1585A34077F3FD08326D4F0A6EA19BDBADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261447Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9334-6149-5127-00000000FC01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261446Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261445Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261444Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261443Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261442Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261441Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261440Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261439Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261438Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261437Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9334-6149-5127-00000000FC01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261436Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.565{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9334-6149-5127-00000000FC01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261435Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.566{C189DCE5-9334-6149-5127-00000000FC01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000261434Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.895{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29285-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261433Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:21.711{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50921-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:25.648{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4920C306EB83CCA63C06CE2E13B3067,SHA256=89CB61E4B9312B7DC39A9E8EF9FE51EECF88D8FE424EA33C42CF596B7183756C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261465Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.612{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCBBF7DFCDF45F92F28D4890A89A039,SHA256=12360373BBC4877B816FED4977DA1CD5355DF3B914F05D5D6AFEBF06AA1BE13C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261464Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.362{C189DCE5-9335-6149-5227-00000000FC01}34882236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261463Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9335-6149-5227-00000000FC01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261462Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261461Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261460Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261459Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261458Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261457Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261456Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261455Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261454Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261453Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9335-6149-5227-00000000FC01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261452Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.221{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9335-6149-5227-00000000FC01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261451Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.222{C189DCE5-9335-6149-5227-00000000FC01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261450Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:25.096{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=886C225560FCE2CADF906C140DD5C379,SHA256=A0AF530E3A55A782B8F9B98A71BC958606E06200506F0F4A5590A6A2B010E187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:26.695{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810712A716D299053257871C452C6D34,SHA256=CF742A3A7BB258782950B8AB9E9B1B2A19DB39F4641825902406D71A71B82E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261481Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.628{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F221CD070C013138A1B6656959A24E2,SHA256=BC8990E8168F10B676B9D9E2E0B811A05AD2E8F01D7E21F7ED21675E180F8742,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261480Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9336-6149-5327-00000000FC01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261479Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261478Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261477Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261476Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261475Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261474Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261473Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261472Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261471Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261470Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9336-6149-5327-00000000FC01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261469Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.471{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9336-6149-5327-00000000FC01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261468Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.472{C189DCE5-9336-6149-5327-00000000FC01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261467Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.253{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=298D63ED2F93A07EA7B274285813BBD3,SHA256=8C48822AE1D2E6B5858E1DF8482D15843C63ED7239408C14482CCF8C587B7BA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261466Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:23.290{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-30781-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261484Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:27.628{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52DAE250662F207EE3AE7395FE92BAF,SHA256=2A85610C4F7DF2D3FC1172895C8048939A34CFA54DA86F60DA0ECCD4A498B306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:27.711{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6F9040AA208622634600EB6BF007EC,SHA256=4CB7317D14399B43AA96C460BD38A6043184E3F8A4A48664B3898DBC0B46EE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261483Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:27.518{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CC6A17FE61500F031E825B1A516386C,SHA256=7D4F6D45B95C12A3FEAC87204E2ABDD20A51B401A258DD3DD95CF2F1949D313A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261482Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:24.721{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32254-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000299782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:28.742{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F2BE1E62CA4BA0277BD18828E2A17B,SHA256=56A7BC45F522E20F448FADAA78B867EEF6C913D7CED50843BF4060BE042196C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261486Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:28.643{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC430CD25FBE6D77DDED4F21BD847F5C,SHA256=18B09D2FBBE9F9C1B832C3A56A9A5CBE68885C160D57E2858CE8142EAB7ACFF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261485Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:26.245{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33872-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000299781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:28.648{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=21A6E21ED0FABEC1D324C726879D077B,SHA256=25B5DEE70B74BB93269DC2722D3938B1F6B62F811D9D130D6156BFE7658B164D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:29.757{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B835E30367FDC0BE0CB3139B1AC8E9,SHA256=B48FBF46A764A7C23BFF8C9C74085BA08B41723AEFE35F1D81847829DC3743EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261488Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:29.659{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062E3DC72F644A5DAB948326A8DB700E,SHA256=5B348B2593A170EDC4A41244E911EF9261518CD347448D95DB977211957C5269,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:29.726{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000299783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:26.494{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64168-false10.0.1.12-8000- 23542300x8000000000000000261487Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:29.612{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5669D56F6E68E7A1D38DF3D8A08DD192,SHA256=57B80A884D61940A22A218DDF850BE75B61DB3012C8831231CA6DDDFA3E8B2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:30.757{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D1DC64F9A70CED221CF9BD441F1B3D,SHA256=EC4FC8A8E50A81F66250D61BC7C1FDCA81DE0DBD215DDD14DB308792ABA762EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261491Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:30.674{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5004FA1F2A426BB70E67E6BB017D884,SHA256=FC38C142022EA94308A0D64A306409D47604B162C4D44780E93C158C2C9CF09B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261490Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:27.743{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35381-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261489Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:27.573{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50922-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261493Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:31.690{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6BF528BD5BFCF1F5D4822A473149BE,SHA256=B0E4DA39808B65042E036E7B5CBE39D1BDEB91B2B33AE5A361358CB5210D7B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:31.789{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C513A7837D74A61BA32074111B6FD9F6,SHA256=FD60AEF2A4E2992B7C08DB36EC0666C37447ADAD4909F371C811955FA42C854E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261492Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:31.081{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE699191A913781880D1EACFB8409AA5,SHA256=385628D9CDCDBEF081D3431F54F82DD7F6AE0FA20D56C985894AB33610FC993D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:32.804{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B469A0BC9E8D15055EB4AC804C1D816,SHA256=53BAE1DA8C9AA8B8491D7E705EDCB1AB79FD50BB3CC06C2935C478DCBC02375C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261495Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:32.706{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EC14BC2AA88BB24891350F87C1A6B7,SHA256=C0F17643FFEB4E3D65F5381B0B22BB767674A9E9798084C46F64240FC67ED40D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261494Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:29.299{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37035-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000299790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:33.961{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:33.820{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCDD62FA8BFE52C633486531D8CB6A4,SHA256=35E5FB6F2CC5002FB36AD7094DF6531EE08F6E50E930C0DD01DEB927C2779A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261498Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:33.706{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F52853B6C2D199B515D46C1C743598,SHA256=D56B9FA25F763624F7C0DF568DB64C44F23DA3D003E2DC39C8D4494E79CD3BD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261497Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:30.681{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38487-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261496Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:33.081{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A616E50E8FAF0A3674841D9CFA04A2F5,SHA256=315F7DF0AC3B62A6A56DF4942A02FBD766D3C61B1CC8F745D9C5D990696FE053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:34.836{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3F8AC7F8708D1580578CD757D2872F,SHA256=6286610D1F3256377B315468A28E62264BE0B2C472CB6CD955064AC63D0EC7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261501Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:34.721{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5844E0CA0B0A1CCB88F7FCC1039E7F8A,SHA256=883BE3E066606AF9E99EC17E77CC29A4640AFC7CAEB64B6291E14054ACE0053E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261500Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:32.635{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40444-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261499Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:34.456{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A79E272EE89172C004BB6DFACEFC75A,SHA256=0D6EE5188E46413C9589BD77B2EE9DEDBDAD878C160FFC6D9A336552E10E0664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:35.882{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED670536EA58F505355D4E84F559DD1,SHA256=A19A8C9BF707C1B76023C1B2C788EFFCED8484939633E456B3EE430CBE458CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261503Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:35.893{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D82A574C5DC2A9054B2CA5E484CE8C6,SHA256=9FCC371367FB37D9755F20446B73DC59F2F4B09328FD29E254E93B07CC7CDA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261502Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:35.737{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235A9C2C282664EA32F83A963EF816FF,SHA256=C995046AFCECECCC41E061CC2F817BEABC3A5E82C0504BA7DD3847480AD17509,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:32.494{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64169-false10.0.1.12-8000- 23542300x8000000000000000261506Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:36.753{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993B8CEC1BD3410B8F569F963281F139,SHA256=80429C4E012B042D7F98CCD8A27E10722541BC6AFC95DE02390428174767B432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:36.898{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15576741F730D5DF42CFCBEFC3FAFD1,SHA256=E2AC0CE8EE0C4AE2EFDD250897D5B52F06702BB03E3276645536179DCE363C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:36.492{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261505Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:33.557{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261504Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:36.362{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261509Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:37.784{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4775B70E81F775946F885592A2348060,SHA256=6C6D19C11DCBBA4D82BEF80D7A3421724A012FF7D39E38BD4EA00BB7C65F91BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:37.929{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDF1B5312E97FECC6AD8AD1B75F8791,SHA256=045AE404C091412A43B6C674642A5E6AD8AC2A6998F9379FC09F89AD5EBBFFE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261508Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:34.060{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41907-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261507Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:37.362{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A0CBC707C855423416F22EF2E4C49F9,SHA256=900CDF139613E5C13EA8E166AA409D5CB4DE767924B03B8F810572D3F9C237F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261513Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:38.799{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B686622D69A6EBC4710116A700A23B,SHA256=5F4562D26EA333BC8237F8D1221DA09C83E6B23C246AE2CE1158B4AC6ACC2B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:38.929{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F848DB11FB76A103D49E178AA56DAB41,SHA256=744B03D051D70DBF559CCB989E0693F510FEAA08ACC53347220B83E16AD8C174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261512Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:38.737{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B9897B746F7A6837B52C14A03C96B8C,SHA256=DFD0AE529D28E6C016EE8B57062AA2ED1CA73A5F47754E73F1C82F4AC5E2DBFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261511Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:35.823{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50924-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000261510Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:35.525{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43337-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000299797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:35.791{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64170-false10.0.1.12-8089- 23542300x8000000000000000299799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:39.929{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D9EA8EBF292E323E67AE37B58A1D91,SHA256=F317C01C3C20001D6B58EC7ABD69D3BD490AAFC004F01BC471D351922CFD494D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261515Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:39.815{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25106D6D64DA3293D8D3791D7AE70B6F,SHA256=AD2A20BF3562D87604C44A21581C51E76D5C70C57FC493407275A3991338A925,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261514Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:36.951{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44928-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261517Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:40.831{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CA9DC928702A87FC19483FD254F5C7,SHA256=5AC8978B03A7D342CB04307E420989121D4259153C5730EABEB9D8AB0D433D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:40.961{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223DAD189BFFC5072827D8C219E99A99,SHA256=66BA95928045D97B67033431F553D0B335E90476322AD16863588E22B78F5131,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:38.463{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64171-false10.0.1.12-8000- 23542300x8000000000000000261516Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:40.174{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31775D4B6CB557AB23BA92A5490C8DB0,SHA256=B1554905B8BD6CB7D650515427208FAFAEAD38E49E3D84610A1BE6ECA246D974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261522Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:41.846{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEEF2842385A986FBFCABDDAE1637BE,SHA256=BBBA84543AB8872CD8ECF16D51899C250967075D9A1D4B4CFAE908031767F0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261521Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:41.721{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19573FD6ED94BC7194823656A378C81C,SHA256=2B8D2A35749BF016BD03F840A8824A0916B079A648E7D9FC669B3F2A90E8F27B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261520Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:39.728{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47893-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261519Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:39.542{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261518Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:38.405{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46370-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261523Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:42.877{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AC2BF4EAE60F6A1E035FBE49DA697B,SHA256=5C12146E8FFE5CEA04EBE797BB740A66AF4EF66B2838A1D30C5D13E6F20A5E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:42.007{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8118BBF645C2C3586D93882013F11EC6,SHA256=6F4AE9B77D6D5E582CA4EBB80D6FF6C06F480E9F8D9D38959FE8BC26045C6C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261526Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:43.953{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9752B182D77E2ECE11155ABD8232B530,SHA256=D553645E4F3D27A6B5E4F6A931EA8BD899651E3B2DE2413F6E4A0D17D2E2B559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:43.930{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1376MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:43.023{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BCC06E2965171E7360823CC636ABD7,SHA256=3D4AFF0042CE31079B65D0890AE24627C9EC076149C4D45E928EAB299FA87D56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261525Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:41.294{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49564-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261524Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:43.343{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E7CCDB89B73C5E5EAFFA85C7E8CE359,SHA256=BED038CEEF2233E3AD4094C9A611F6B911D0DC0793D86C0FD1B4F3FD1250ED9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261529Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:44.968{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D847430425EA4FE61D30CB689408C078,SHA256=770AF63A3239BF77BFBC75BBFAB165105A9D180DA4EFF5123C1383E7C65AEF0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:44.944{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1377MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:44.052{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242CCCF5D1349A73A9FF0DC686BDCCF8,SHA256=BCC81B582B98FCF4DA832596768A4E8D5CF6797BB7C93DC9D5906D59558ECFEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261528Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:42.901{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51226-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261527Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:44.703{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04E65CDB8A7522724659E55F54FBFF22,SHA256=DAFC658034E29FC3F27AEDAD35AF88B69EEF980ECC578976B509FC55EC90B4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:45.066{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E68018C45659B78C8C88330AB5E1052,SHA256=25ED4276A5125587B1B4C61AB199BC139DEEBB751C8F72FEDA6B70B66FD6D401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261531Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:46.265{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BF7B90149B5BEC71B73851854E73BB2,SHA256=7A85F7DE0FBEAEEAC353507C2D48D245777E1384372A5D223161F4BB70E7E1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261530Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:46.031{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE66E09B79431BB701BA1C432CBD10DD,SHA256=A96EBEB2616A6AE1579D2FDD7AAA8888288FBD70F8C3C8685777735334F8EDDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:44.365{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64172-false10.0.1.12-8000- 23542300x8000000000000000299808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:46.070{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BFD680BC39B7C2C16FFCA49B26263D8,SHA256=B55AAB51EB2ECCE13D86D0492551756B93ED7347B77E88900C80918A2242FE9D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000299820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:47.241{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000299819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:47.241{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x050d3f4a) 13241300x8000000000000000299818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:47.241{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb7-0xa8ea7521) 13241300x8000000000000000299817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:47.241{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec0-0x0aaedd21) 13241300x8000000000000000299816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:47.241{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec8-0x6c734521) 13241300x8000000000000000299815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:47.241{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000299814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:47.241{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x050d3f4a) 13241300x8000000000000000299813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:47.241{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb7-0xa8ea7521) 13241300x8000000000000000299812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:47.241{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec0-0x0aaedd21) 13241300x8000000000000000299811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:47.241{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec8-0x6c734521) 23542300x8000000000000000299810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:47.085{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0881584898E06C65B914C2F4E85A8C8A,SHA256=D0155328583AF8DDDE4D564342865321C93323F2E1E7C2C30D3CD89D0FA8B49E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261535Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:44.711{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261534Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:44.311{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52632-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261533Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:47.765{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9651D9E1DFFFF5F14F021F7950BB2280,SHA256=B545B062077E728E085AE1ABA610F80493D1FC6546122A9102590701841ABFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261532Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:47.093{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51F1B9EEAF129E7995346F48D2228D3,SHA256=BD2B5CB1AA64357FA615EDE5BC6AE9510C946CFA000E98E12F0E4D651F00DECD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000299822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:09:48.413{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aec0-0x0bb5d77d) 23542300x8000000000000000299821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:48.116{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81954E830C82E80661644773D2576C0,SHA256=4378F06C17F27DB6F645425BE261B9D25D683429356DBD81CDEFD21AEB4AE10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261536Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:48.093{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B87621B7B67D56CC1191926DB952444,SHA256=3AC04F424876BE0A539FD10D25282E9905EE4F29FF41E75A1BA211443C32BA6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:47.711{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-966.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000299823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:49.148{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274D1BAB1DA2B9E4A859491FB2670975,SHA256=D1AB43354CE02158446B4C4E6AE8882403FC5C63CA21ABAB0C4ACD46FE0B107A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261539Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:49.296{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64851149EA57C7223851EC015A8872CE,SHA256=7BC2F5A23AF709640FCAF3FB0492B645FB0C6C59BA6FB42DD4D8294B8AE02EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261538Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:49.125{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0C98C506C4A84AED0DEA48D587372C,SHA256=8FCD3D483367A4EB17CCC00181B8CEF475C7703BE81649B081972C17095ED608,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261537Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:45.823{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54191-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261542Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:50.782{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF1B825FBDB118FF8A9CB78E368CEED3,SHA256=B41952404A051D548AC7E253DC419DCF06CEA8E32BDFEB3F354735C7DE2C130A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261541Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:50.187{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C09C89A1D41F8AABACF2EAF77152EE7,SHA256=F4B54049CC1624CF711FD05C47777CE26F5CFCA48FC5A7C41F6BA3CDE60F44D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:50.163{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F3C1068F794A47CDD1995A5E478AD7,SHA256=F2271E19F032DDA53A2E9DA96F02B7F580094F6DD458BF76994B7507306A098A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261540Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:47.378{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55849-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261544Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:51.220{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06725B111089391C0091B2CB1315E139,SHA256=D2B8B88A394AA1457BE1C1DBCF8553349073ECB0A851EBB4EF631BED892C7EF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:49.462{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64173-false10.0.1.12-8000- 23542300x8000000000000000299826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:51.163{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D352937F91CDACBDAD42E052E2222DD,SHA256=4E36EC96A763B10BD6B90D77E7CCD48A8CA1BB0002080505209433188D5227FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261543Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:51.129{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1368MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261548Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:52.297{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE372B03E94C597708BA0A733FCD6466,SHA256=288513251D11DCC46E3077AAD953CAAA8AF059853D8955524FD7D0067B31F048,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:52.601{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9350-6149-DB2B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:52.601{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:52.601{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:52.601{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:52.601{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:52.601{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9350-6149-DB2B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:52.601{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9350-6149-DB2B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:52.602{5097E253-9350-6149-DB2B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:52.179{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965A53B0E2AFBC62EB3BE647CB00B30A,SHA256=7EA502821EE000E03D9C7E51B1C45DDBB029B88F0B758FD4FE5150CE4922755C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261547Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:52.266{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11AE2018E0398B6EFD5E700B542F404E,SHA256=CE032C37E8E3B92ACC2E9798DFCF2E515151B6D3A2B9E6E9C5FDC8ABF0D3B747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261546Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:52.128{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1369MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261545Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:48.896{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57375-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000299855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.913{5097E253-9351-6149-DD2B-00000000FB01}48405272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.773{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9351-6149-DD2B-00000000FB01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.773{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.773{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.773{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.773{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.773{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9351-6149-DD2B-00000000FB01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.773{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9351-6149-DD2B-00000000FB01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.774{5097E253-9351-6149-DD2B-00000000FB01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.273{5097E253-9351-6149-DC2B-00000000FB01}74523776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.226{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EE7C7A98D3D5312306FD18A877EDD2,SHA256=3368756292D64A0D62CF8C5368725282595C9508A94591544FA3A1AA907BB32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261552Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:53.924{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D68A6780C7078589578FF37B25E70C4,SHA256=D8BAB7DB1D92E074AB01C6749A19C33ED62BC60C161FCCC0B02B258603A5853B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261551Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:53.315{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA86704D09985ED6B0B5EA062CD0F2D5,SHA256=1C86CBC6AFD5CD8AD879BEC6005B1C425BB3AE474594D00D8D24B767793030DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261550Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:50.540{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261549Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:50.337{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58973-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000299844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.101{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9351-6149-DC2B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.101{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.101{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.101{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.101{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.101{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9351-6149-DC2B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.101{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9351-6149-DC2B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:53.102{5097E253-9351-6149-DC2B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261554Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:54.315{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAEA3BC8DD5A876AF033A7CBDAC9C3E,SHA256=DBBCCF4097AA7BCC7B08C1348E78C9F5EC23DA06A40D79C34B763991FEC93A94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:54.585{5097E253-9352-6149-DE2B-00000000FB01}75885920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:54.445{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9352-6149-DE2B-00000000FB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:54.445{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:54.445{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:54.445{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:54.445{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:54.445{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9352-6149-DE2B-00000000FB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:54.445{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9352-6149-DE2B-00000000FB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:54.445{5097E253-9352-6149-DE2B-00000000FB01}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:54.226{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7F33C99B8C06547B2D680B503C9474,SHA256=629B7A058A6DE70F23A3408E8EDC0B07C1C32F1FC7EE16B236806BB75FD67B47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261553Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:51.884{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1563-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261555Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:55.331{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B473A42E538C9DAE9D0E26DE289554D,SHA256=BBCAF08639A8032F676B3763D20D53FB1D3273E7786790C17787D1DD201601CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.788{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9353-6149-E02B-00000000FB01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.788{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.788{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.788{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.788{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.788{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9353-6149-E02B-00000000FB01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.788{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9353-6149-E02B-00000000FB01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.789{5097E253-9353-6149-E02B-00000000FB01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.257{5097E253-9353-6149-DF2B-00000000FB01}42004704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.241{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35C755357DD9C29E84F1D3FDEE0AE24,SHA256=DA6783954F36FFBDD5EEEB4A7375AF6ED0608A39AE74AF271762C0AF54F13F6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.116{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9353-6149-DF2B-00000000FB01}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.116{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.116{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.116{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.116{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.116{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9353-6149-DF2B-00000000FB01}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.116{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9353-6149-DF2B-00000000FB01}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.117{5097E253-9353-6149-DF2B-00000000FB01}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:56.241{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBEC473DD5DBB633658BF1C8041C7AB,SHA256=43905F8E7137B535FE24B59461C363CB30B37A74002E97193AC429E753B76070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261557Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:56.409{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5338C610261B8E8917CD6BE05E2D525,SHA256=4628FDF3633BC555DA5C24E5DD35743CD46E6ED88D8B535DD02C210059E15DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261556Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:56.346{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C3A118D95EB5AC3DF1E21C86C6D80E,SHA256=9F926B626230CC85C55DED9F99A56807B382C12ED6CCB2494D60DA26F62E25D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.884{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64175-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000299887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.884{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64175-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000299886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:55.509{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64174-false10.0.1.12-8000- 23542300x8000000000000000299885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:57.257{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4072EF787BA680D3C860ADEEAB7497A2,SHA256=1DCD5F944EAB19115C52982636083C11B3A7E000042B349174424AEE1135E96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261560Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:57.768{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C55E481E01A1A3BFBCCCD495AB5B92B,SHA256=90049DDCAD4D4FCF2973A15474DF2CA19DC14C62A44B436AF12C455CC87211A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261559Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:57.362{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5205B4580464A501287D8C31E98B02C,SHA256=1DA535955C4EEF53DAFD94D9505F53319FC6C010CBD966B23EF1E4C33583418D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261558Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:53.634{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3232-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261563Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:58.393{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AF2C04351E055F09AA8E92EA815CD9,SHA256=87C4F2538EAEFE690BA2C8CDF3884DD7B17C977531FDDCA64F58F3D96010B035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:58.273{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B122E2F3A16EF7D943068369B1A1DE,SHA256=247D8C745E2B4A8AF0D310C0656A92E102DDF6D55647B58452424CB1E04495C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261562Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:56.526{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261561Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:55.962{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-5717-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261565Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:59.409{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A98CE50F5B602ABAF6BCBD359470593,SHA256=DA663EE852F00EAC46954B1AF8F400555DC3A6DC3CB3C5386D298A92A37F5F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:09:59.273{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D3F8D36BDE9F4BBADB2F54E22E6E3C,SHA256=6704FC3F650A369996D2226CC321E8F415A0931791B74D5E5578A9CEB7CB6960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261564Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:59.268{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4F3869E95DBFB8CB9CF36840FEB89D9,SHA256=64C4252E426133E370F68BC56022A62FDAF2A1526923027E757E4D6843223204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261568Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:00.706{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64108391703705CBFFD3203F22C6630,SHA256=E238B2B78108E829AB6B5E1688DB5AF4EF20BCAD0A43F45D8EAF312BE86CD4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261567Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:00.471{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49149B0C2DE743CBBC5B757E2C24F05E,SHA256=0EB35D704E0946C6DF188242B2566DBFB770B405BA7178F7C342780AD23750B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:00.273{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E2F7CCD9F65DFDC2803E990E73E4DA,SHA256=37CE0D4A79A447F708DCD7F47D5BB4C04E514F8DFD3411EAE56D64F0992B9390,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261566Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:57.328{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7357-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000299898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:00.007{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9358-6149-E12B-00000000FB01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:00.007{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:00.007{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:00.007{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:00.007{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:00.007{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9358-6149-E12B-00000000FB01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000299892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:00.007{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9358-6149-E12B-00000000FB01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000299891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:00.008{5097E253-9358-6149-E12B-00000000FB01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:01.288{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62294886ADF6170903D7835348EB1A6D,SHA256=6A4D49CB6346C04D9D4ADCA99744F03696BB4BB09BAFAF516F1EEE3B251BA0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261571Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:01.518{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EDBBBC32F825673DA722F998F51209,SHA256=1FC686B292F995264CFB5929868AD810842FFF07B80794EF50CCA87A67CA7636,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261570Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:58.875{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-8827-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261569Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:09:58.820{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com15537-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261573Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:02.534{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1BAAC443676EE814F03AA7EFF130A8,SHA256=A9FDBD413E659DB7A2D1F552D3C966CAC0B325379F76762D95F9C4FE11DBBF0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:02.288{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948A3052DD58B1FA6E4AAD87C84AD668,SHA256=1F2EF6779AF250774A2F5A9A260109C38D882B08A23E74086583D353946BCFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261572Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:02.143{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C79D69240D3776FAF1193AC5B9148CE2,SHA256=2CF872265397A7455600688753F1F97FEA7B1DBDC2D51F22E132EE5B1D124F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261578Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:03.538{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0802CD2FBF18DBB8FF748134485F6B6,SHA256=A8E92CF55E37B4EEFBD97202E4555CD82116D7F564B232E0251D7BD2420179C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:01.525{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64176-false10.0.1.12-8000- 23542300x8000000000000000299902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:03.288{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034E07289BC7DF45A46779E3EDAE99E3,SHA256=4A342939B863464E4196FD1F7C5F95EDC1E591D258B495D2BE5B231A89CF4972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261577Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:03.491{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EE4F78EB6017E7A442CB9C1B66F3C44,SHA256=02EE7A23FAAEA06F988EF8172D51F057DEF9BE54CD451AFF8BDC3DCB23209A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261576Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:03.237{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3064BAF891992C36F898A259FAFAC239,SHA256=77B94FC393EDA43EACA4831A56E96A83B7E114AB3EB185C0878887799028AB2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261575Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:01.557{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261574Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:00.281{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-10430-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261581Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:04.897{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8383E19B5A7202112EE66DFACACEFED4,SHA256=D59ABDD287BC57F2961632A08509FB68FA688B0DCDAEDB74A4B2C89F6AE0FF78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261580Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:04.553{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBC2097490ACFDAB2C6FAE9E1BFDE75,SHA256=1D60D15A4403A79CF746A4D81BE78556072C42A753C4C4C1A4126CCAAF55A98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:04.309{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D481A39B84C91EA670839F9BA74121B,SHA256=CA42B302022032C3F67797A01C9E5FB923ACE372647E845416DBA6C43A7E7CF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261579Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:01.697{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-11905-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000299905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:05.324{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804E9C4F6B0E49674DD38B37C1BD06E0,SHA256=A6FD13DE5680AD349B6CCFCA846D08CB0A68C6E09B9901E6688E685EB55CFCE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261582Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:05.616{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E776CD103625626B142BC6D710D8939B,SHA256=2316E0A364DBC5717EEF22A7F853769C848CF2861E57FCAD87EDB5E0187DBA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261585Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:06.632{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497C04D9E1D96035624296565B48958F,SHA256=A62D8B69604CCCB69965CBF5079B4E74F6CC279F8026C7D859F8A2FA7D4A97E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:06.371{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF1BEC6E0579B5AE8279F306B0E2409,SHA256=205C064316C05D7EC5B99090C41519C347BCC5198F5AF553A5BF83BC4D48DA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261584Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:06.382{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3CBE27DEDC56B87EAB9BDEAB3E817F5,SHA256=1BDCC6F488256A61E5AA67DC5DA5786DBA32DC2830A404AAFA1B7CE77937B43A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261583Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:03.120{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-13346-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261588Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:07.788{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF05C5AB6C81F4614EAC760B513003D4,SHA256=8CB2B24E2EF452676D9001B75E7C3ED0BCFEED8EA48CA4C6618390CEFBC66396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261587Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:07.647{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9989A5B0D01CF0A4D8176D720AA98FCE,SHA256=B394A9A8B4C22E6D28448E3266AC72C84DC6B1835FCB56F4341DF816EDD1C97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:07.418{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F5388CE3583327C9C924ECE447BA53,SHA256=92754821A5DB06FCAF40CE9C5C34214127E72EBF612E62D99DD51E97BAD7AE4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261586Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:04.588{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14813-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261591Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:08.663{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB3BBFCB96F745DC74D7C79CBD7429D,SHA256=AE2A222B7FDDA5D727856615C9B0F40BAAC64C64F2DAB2ED1CE7FFF65885DF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:08.434{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585DACCD1D388B720F67B8B846475FFC,SHA256=5B129595B43DDA54A1A067BDE241A0A7383E4E47E3D241F3C79767C13AC72FCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261590Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:06.656{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261589Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:05.932{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-16205-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261593Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:09.678{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1737BB48A1DFD6F73DB58E47BCEFD3B9,SHA256=62FC7D16441398480BB1981928E71B6261F71B1C56AE01A25EDCE4E81488FF2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:09.449{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8282C2CA5E8A5AED18F3C57B0EBD43CD,SHA256=EB0538ED5B91C72EC21A9456A01B5DE1E616C14073F25996CE457AE6A034B7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261592Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:09.319{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D04F4FBD3AEA023577085C19FA86249,SHA256=6D76142FCAA6840978DEE2D51FAA6BF781F4B3BB9520EDF1FD3B6F8179E0EC83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:06.545{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64177-false10.0.1.12-8000- 23542300x8000000000000000261596Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:10.835{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62332947D923E34A8586C56FCD76C659,SHA256=B96DE6AB357062DB167AB26F061CFD15DA32A424B4A5ACBDAB7C7465AD8FC509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261595Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:10.694{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EF47B8604D43B8A31F64C6520250D0,SHA256=303EB9A1323BEE526078859188D5BD96DDD5C96E1CA6403A772E7F37F2A4A62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:10.481{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98D8E39765490530C49BF7CC9034C6A,SHA256=5670002759D296255EE14FC278350C2F9637C41A536D425240982D06464E89D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261594Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:07.389{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17715-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261598Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:11.710{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB00DC07740BBA246475B01706C4579,SHA256=01F2B58080504F13F4A5D10FF0CDBC3274283E06F22709C4350D4D46729A51D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:11.481{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1781ECEF85E42A4CE414B131ADF64FE,SHA256=9AE1566EBE670E1843D46F8CD571B14CCE6078A2BDBFF80B44DB078F8C4297B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261597Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:08.871{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-19302-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261600Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:12.725{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246C864A562B6CBEC7BAD671D97D3814,SHA256=5109612F0779B9DFEC1C7DFB7FE6BB6FBD4B657A07826F534A86175BFD709F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:12.512{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890B596C26EB531631696307F5664B59,SHA256=3BCC71D10FE3B146836E6E7981C9FA76A79520E124AD0ECEC844A296E10DD075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261599Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:12.257{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=696195AF57B64A35C1FCAF471C95A450,SHA256=54124F765BFDF755947155D87262C87E522BCE595736C1C62FF2522A4CBC3597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261604Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:13.741{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=831CE079CD5128ABD12F12E8F1BC9EFE,SHA256=B86E81BE90D41BED6EF39885F131AB9568F483B2E30FCFFE5CF81564E24B37F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261603Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:13.741{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE29F6E3EC7F449CA697ADC191B4C2C9,SHA256=77F4150E115F290F00BD776ECE12E5296259D1D846154DB6B915FAB2363050EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:13.512{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7E6880BFC004B539C3ABB66A413221,SHA256=CA1BDEC0555D0B201A6A8EA8270658B5E6622A5193D5A4EC36BDD29BAFA092C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261602Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:11.809{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22428-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261601Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:10.404{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20968-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261606Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:14.788{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEBD51D950661278E0EA719BB7B64FF,SHA256=85233A72A9E02750F87B2F92FDCB34204499C651D49DCB95E8C196C2569998ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:14.527{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572F190FBF71389FC447302441325CDA,SHA256=5415A7581C71D3065A2D6D966A4E2189C3CCFE01387C786138510002B00C767E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261605Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:12.577{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261608Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:15.803{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464A400360FC02C895C6EA4070AA6B40,SHA256=9EFC91A8410D261828C7CF66CA30836DB7829F470B9586333988EEDE1D3C9A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:15.559{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9590902080CC1CEF096874A84CEA3D,SHA256=4CD691F5A555C40F4245700B474D9DF896024D397F825E2185A141B87C81D775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261607Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:15.132{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53C3A37549AC008095C24F9F500FD2D5,SHA256=F49D043E9D0583BCE71897255A3F94DB1350906D5B7EE7B55B673E113CF64369,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:12.529{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64178-false10.0.1.12-8000- 23542300x8000000000000000261612Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:16.850{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04752390C432CBB596DC207615E619D,SHA256=E1F4831C59D60AE0F0A9D0DCC6130FEEBAF16ECBEEB84D3A599B376FBA25861F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:16.559{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D1394AF66D7B605126C399E67EA2AA,SHA256=E9B5653629CCA813ADE008F089A8DFD36BB9D7DA6B15E7E29D7D2F7B6A95BD69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261611Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:14.684{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25545-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261610Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:13.293{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-24038-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261609Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:16.475{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78BC56AE7979B3D2D4B61CEA4B5C1ECA,SHA256=FDA77B9810D1E56133A3C88F3A29F34B8F70772F3B1654A66680752510522081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261614Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:17.975{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A090E70E721AD089CE2496A85BC58A2,SHA256=04A3AB4FF2E9F3A7574289DF520DFA3C312320B0BA331EDF747BACB6F912E200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261613Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:17.882{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBA1433E8AB36C99FCBE0ECC8D35BBC,SHA256=C7687A22732C27ED216DDA98EA39AC3E22DCBCE0FE4ADBFE7F9948BA1BD1D6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:17.606{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BDA2F2E10B05F7B3628834A10D1636,SHA256=9A0806426D060DA6B75A74C8D0274A54F04C351847BF4FD4CB69BCBD458083A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261616Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:18.928{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2651B25CF91071106E6B281A4EBFB8D3,SHA256=800F28AA400529EAF168C86B0C20261C61BB9140E5F9CAEC879D2E7F0D086722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:18.668{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B727DD3297717474667FC0FAB430271,SHA256=035B1E80169C0B441252646F1D5B0B45AB1F75BE15F5447F43941BB7A0E12BAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261615Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:16.081{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26898-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261619Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:19.960{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAFFE4EB5591F35CCD63E7CF2FB7DFF,SHA256=A06F556C3A7EBF690F19136D8198586E072F0F5ABFF92246EAC279B0FA515EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:19.684{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B621CC88FD871F900E8786E43CD56C,SHA256=5E32981EBA1DCE91F0B164A8D3DAE50B9E24B4570520CDA3282C4D302EDF9C94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261618Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:17.581{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28445-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261617Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:19.397{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF8EB66BA8CCC55347D623E8BA7632B,SHA256=61A7C9B96B2B28ABF994096F05EC34218074EA9BD3FE9E6FB3E211AE3C451481,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:17.545{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64179-false10.0.1.12-8000- 23542300x8000000000000000299923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:20.699{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9691B3BD9410B947D2FD40AC059C83D,SHA256=4D88C089B6C5A0B732FEA2EFB25A9A1CF3A1C5DCFDB7058DF31193000E9F54A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261635Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.928{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B13F175D871F7658F95514A3FACCB167,SHA256=E4E7AA4D951DFBFDA26A522A974DD530B4D8C4113ADB30D9804E14882B939B9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261634Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.881{C189DCE5-936C-6149-5427-00000000FC01}40563848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261633Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-936C-6149-5427-00000000FC01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261632Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261631Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261630Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261629Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261628Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261627Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261626Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261625Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261624Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261623Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-936C-6149-5427-00000000FC01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261622Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.725{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-936C-6149-5427-00000000FC01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261621Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.726{C189DCE5-936C-6149-5427-00000000FC01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000261620Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:18.561{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:21.793{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7530575F859C83EFF3E3DE586E0866,SHA256=2DB5D8B7525A037847B89E3B5E040D6CE190DF0BA919F3428D4A73D4CCD1EBE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261664Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-936D-6149-5627-00000000FC01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261663Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261662Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261661Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261660Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261659Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261658Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261657Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261656Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261655Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261654Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-936D-6149-5627-00000000FC01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261653Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.975{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-936D-6149-5627-00000000FC01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261652Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.976{C189DCE5-936D-6149-5627-00000000FC01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000261651Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:18.983{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29955-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000261650Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.460{C189DCE5-936D-6149-5527-00000000FC01}7001936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261649Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-936D-6149-5527-00000000FC01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261648Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261647Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261646Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261645Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261644Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261643Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261642Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261641Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261640Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261639Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-936D-6149-5527-00000000FC01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261638Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.303{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-936D-6149-5527-00000000FC01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261637Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.305{C189DCE5-936D-6149-5527-00000000FC01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261636Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.006{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE03A17E01142979459E7E3B730B00B7,SHA256=8F7F884401151D1E1B41F7810BCBC89DC203AA0C88BDB9675D703FE7A3F2A57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:21.074{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=516853E4E4A9AB629879A476A00A65E0,SHA256=5310D607941E978AC11577F5741D1D149D36EFC19164405A8F9D12372A6B283E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:21.074{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6FB14E1B936C7F3466ED02BB34C40077,SHA256=F31C26ACB7B1F08F47FCAC83A992526E18C891104BDA2AA35764975EC0430C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:22.840{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A55DCF0C09BBB9C410678944407DDBB,SHA256=9DFFEDDF67ECE1B30D75BF3012F9E125ABE006527BD7D19FD0E89DE69AEA66B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261679Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62433EB37696C34122332B10CC02E951,SHA256=B9AE27C107168927D3DFEFFD7A251C7395400EC04D2AFBA45E6F24C71AD3319C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261678Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51B1840B828C345165E6705EFD7A35E,SHA256=2AC0361FE01B1860F3BD2D3DFE176F0442B3DA718394A3E96426F58AE31025A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261677Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-936E-6149-5727-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261676Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261675Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261674Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261673Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261672Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261671Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261670Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261669Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261668Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261667Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-936E-6149-5727-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261666Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.475{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-936E-6149-5727-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261665Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:22.476{C189DCE5-936E-6149-5727-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:23.858{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC1B6A878B55226DE7CA3C4447F2764,SHA256=C23AF0DB311E12F976CD93932FF97752BEBDDF8ADFDDAB624E446630CEBF1AD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261682Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:20.487{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31500-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261681Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:23.509{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A51CF488DCE54B0F7B8CA7B6E308AB,SHA256=47DE93B13484200A96EDB9741A1C07521BA068F49876C24A005A6FF1B1BDEA4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261680Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:23.493{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CA4621A7C486C151FB951C9F6370628,SHA256=1F0179B2E4C9EB534C017E609205B26C69189FA49B25EAA35BF3F2EEE95ADEDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:24.858{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B8B0A2922FD7186016C435EA129155,SHA256=E87185D59307A49D82EC0B2E91011835900668019A09A466458AC226E53BB4DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261698Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:21.984{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33079-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000261697Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.790{C189DCE5-9370-6149-5827-00000000FC01}9041020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261696Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9370-6149-5827-00000000FC01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261695Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261694Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261693Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261692Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261691Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261690Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261689Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261688Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261687Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261686Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9370-6149-5827-00000000FC01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261685Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9370-6149-5827-00000000FC01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261684Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.588{C189DCE5-9370-6149-5827-00000000FC01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261683Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.587{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144604F24BED3C303BB15948EBE2D246,SHA256=369E799DFA5146335A81A1A4B6A982C996B3E3DAF778397CAE6181B2702BF348,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261716Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:23.595{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261715Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:23.325{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34562-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261714Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.759{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DF9214D42A731084AB14C85FA7CD88,SHA256=D13551019566AC01D78BB0079A85599578069672C7233269301D5A7E2D4B34E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:25.874{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB6679B3AF85429E76071601EA3AECD,SHA256=801060ACD1D1F322F9FEE4D0CE618FC09C539A7C1EFF626807252FA061ED2865,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:23.547{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64180-false10.0.1.12-8000- 10341000x8000000000000000261713Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.509{C189DCE5-9371-6149-5927-00000000FC01}9081920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261712Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9371-6149-5927-00000000FC01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261711Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261710Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261709Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261708Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261707Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261706Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261705Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261704Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261703Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261702Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9371-6149-5927-00000000FC01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261701Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.259{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9371-6149-5927-00000000FC01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261700Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.260{C189DCE5-9371-6149-5927-00000000FC01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261699Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:25.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C43DE2D12E2196A8F96F287906D61133,SHA256=CF72B7EB2A64236D3D6CD0ADE718EB5AF7AE31D3444CF079C026DCA6585CA641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:26.889{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7AD72897309FA6518244B14A7C38CD,SHA256=EFDF944B35A0BEDA5B6FA1456B5D1457D923EE29B695144AFCF87DFD152B3D1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261732Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:24.656{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36009-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261731Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.775{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339AE9E0354E52473533971A89FF8287,SHA256=3B5D183487458A49E0650CBD9353B95209D26163E72291DDBBE706D557FC6A8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261730Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9372-6149-5A27-00000000FC01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261729Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261728Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261727Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261726Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261725Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261724Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261723Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261722Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261721Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261720Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9372-6149-5A27-00000000FC01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261719Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.400{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9372-6149-5A27-00000000FC01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261718Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.401{C189DCE5-9372-6149-5A27-00000000FC01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261717Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.275{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD8AE9DDABCC5D293A5C1B03133A046,SHA256=F34DCC68ACD127487FD3FB05A134850C73B29E72ECD4BE46F692BB26F4164281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:27.905{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B6568BFFBD32A8C4F2BE90DAD6DF35,SHA256=A84B8160A9A272DC740603E0189FA5FF132880C2925AAF80152814FB3AC8C6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261734Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:27.822{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31F99AC208D2ED4B59384510AC808EB,SHA256=513A7C3ED7FA11F74222D6D80E409BE7B0F387068C0FA4D3ED4DC215B333CDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261733Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:27.415{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91691D743D71DE902818500CD4353B76,SHA256=8927C93B0A7B4FC66A96D934EB55B63A83020BDEE217FFCEECFD62913DE4315E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:28.905{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B971E3E5A2BC0CA1FDD5F10E88B0978E,SHA256=D92E2E224B19CCAA3187AB07F313684908C4C2BD597C4FAC30217F7B7F19D3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261736Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:28.837{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6228CEE72D1FFA374175200DE30702,SHA256=A147E3648864BDE3745E1BA7833ECA2A6A6D66EB96157E3D1354DAF866FF26A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:28.655{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C8A1ED26FDF9BA318004BFB9AC8EA71D,SHA256=A91BE4D27F597CFEBA733592BFA227D11C1ECF93B248778F46B5C22AC8CF3394,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261735Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:26.057{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37500-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000299936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:29.921{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029843117CFCC3BB8BE2EAE91BFA68DB,SHA256=FC686AC03877BFD4292AF8CA8A51AF220B61EAA1DAB3A77F5E27CFC2A7A3A388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261739Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:29.853{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24221C13F517E00AC057986795ED1483,SHA256=7782C892CC2F0C16305044F0D74CBC22380B311D095CAAA5EBBE56269B53FBCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261738Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:27.435{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38918-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261737Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:29.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85755659779A3ACCB223C3D0187CFD74,SHA256=9323951548FE2376ADD853C36C842B513EBBC96A1633105B1F526F30825873A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261741Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:30.884{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DFB31B4BA2E648FCC9690780332E2A,SHA256=12B2F17CE9E80B7AFCC4A84865501FB5A2135B811D2301211E6DCE11EA330B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:30.936{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9722AB1EF28CBF492846432E63EA9FDD,SHA256=5953CE49B6EBE8593931DA5393DBF227F80C6ACB714FEBCC8D53A864B4BBEB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261740Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:30.743{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9911BFB3A81F85C5444826AFED879223,SHA256=72770E0E1B6755AF83C1BD30CB9E4F37C2A0DEF71054BE5E83DEBAB8866726C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261744Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:31.900{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA796F2749E5C43323D691F282929434,SHA256=5F15D8FC54F3711FE9D4FAA447A64C38C529082FF585AF40201F0DCFF6263E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:31.952{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0B21A3DFD7FF8825080599B80B9DDD,SHA256=04E61C225947A015B6C33FC9AE97D819894664E3A60D4DF1B2F36639B26E8326,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261743Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:29.626{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261742Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:28.860{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40383-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000299938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:29.422{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64181-false10.0.1.12-8000- 23542300x8000000000000000299940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:32.983{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F875E145999D5612D357E3F73C5E2D,SHA256=FD4C404C1B6755AF5DDAE416292F1783CCFE06B5B01654401CEEC82EDC193E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261746Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:32.962{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1F168B4185B1342B7A35C0AE0FD43E,SHA256=560299163D2F201D84EEC65BF7E92CB06D149EFE72EB17AB23BCD401A4865029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261745Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:32.322{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF91AB1EA6786E056E65E97D9DE0FCA0,SHA256=990BDA1D13FBD180DAC51E9985553118CA0120D1A00E3DF28329391111279E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261750Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:33.993{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3542A8BEAA708F57FD19BDEEE15BA8F3,SHA256=D5EC2104880562361FF326D27BE3F47F5196672FD074682DDF529D793AA0D33C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261749Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:32.057{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43572-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261748Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:30.427{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41955-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261747Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:33.822{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F12B69A7DBCE4639950C2F291FE57B4C,SHA256=D577274C555F7B77CBBD81741B2BA0D115DC7BAF66516B76F61952C9ACCA8A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:34.014{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F397B8FB62E4A9D9EA594A144BB00E,SHA256=01E5510F9124F76F1251C27AB10B710D2AF0BEFA660AE928128E97EE3D732A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261752Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:35.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8FDDD6242F1554FECE49D7EEC65EE0A,SHA256=34C0C50478C2AD2E43E7AC9B5D7CFB0F6E9064E281F152CE8FE5FE37FA4FA3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261751Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:35.056{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C6293F2029CDFB8EB753D9736BC45C,SHA256=442845F7181CF974D01095EE37C72572BE0A3C12742BEDCEAF7AF42A78E42E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:35.014{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4A13A57BFE672597D7F99C94E49B0A,SHA256=8A7B141E456A9A885C4F9A8D95D5E1B912CDC440C3169ED7C8AD43506B4FD904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261755Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:36.634{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDD782E871CC6DA0381512FD5267BDAA,SHA256=031DB5D7C26F922EDBA9B016DB477B2D103F441B434045F5A13FDB64904889F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261754Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:36.384{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261753Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:36.118{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B692297F4591B0E47D4E21501831FF,SHA256=8BA4509B8CCDBBCFC788AB255408D8DB90E793FE57AD6001C4EE02E876EFFDE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:36.514{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:36.030{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8E1D158E635FBF41300FC4099CB85E,SHA256=654EB367EC72FD1547D4D87802FA8DA53B11C2B8145BD8215D1C5B3E00DD1037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261759Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:37.150{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D37DC062DCAC79B71C33A2D5470FA0,SHA256=7C7C5F7F4B20902F875C3FD589FF20AE3B6E94E096882F32F587CFB21DB87354,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:35.813{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64183-false10.0.1.12-8089- 354300x8000000000000000299946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:35.376{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64182-false10.0.1.12-8000- 23542300x8000000000000000299945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:37.046{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B91B0BC3CAD0FCEEC0F87126E18DDD,SHA256=E03EF06743B0B35DB1949156D5EB7F13D9B4E518EADB6F49EFD22F200FA894C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261758Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:34.780{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46675-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261757Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:34.720{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000261756Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:33.372{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45199-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261762Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:38.181{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7253FE7077B29FE65D84194BAF48BAE,SHA256=955A5B25A280010A632EC81F5EDD4A56347C540C3D8AD518F4849491615FE608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:38.061{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6606F53C374F118C657CD7E246942573,SHA256=ABD2BF8A9E1196760ACDC90CD1A67A9FC0D65207A5E5E2E4AFD79F01EE16086D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261761Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:35.845{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000261760Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:38.071{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A2E042A73533C2889DDBFAE415A2B23,SHA256=01D9EAE6CE2D52B83ADF80415BAD3323E8EEECCC0640BF210168FC31978A2274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261765Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:39.369{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A99BB847409C1D05A0B941644B3CB35D,SHA256=03F719461B4647D3C516E68A404BE647E341BEF1D8F5EB9BDDD72C30C6B99BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261764Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:39.212{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD1FF0EFBE8DB10AE2402D6BACD7B3F,SHA256=CD4C0817961845497519ACA918E29EC8224C20D34337568FC277AE143D2D4DF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:37.395{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-966.attackrange.local138netbios-dgm 354300x8000000000000000299950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:37.395{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-966.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000299949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:39.092{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A4B7F59EFFABCA013BBC13BE3AC02A,SHA256=E332CD0354D2EF3E5DB9C303FDBD0C9B02ACDDE970623ABC93C9E0835E3B9558,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261763Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:36.264{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48182-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261767Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:40.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93AF39181C70F2426A1F83C917E2C95,SHA256=9384C17FB104C2A025B65D2C71863AD6B586E1ADC92D03F8B614E376DF5B5AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:40.108{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B99172D01C31681F5E5AAFC3761D06E,SHA256=2D47590AB2F9E0E9FF132C60C8B9813ACDE81CFCB424683E8896BE3CE431A0A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261766Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:37.625{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49710-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261770Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:41.259{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E713E17AFB01313BA2A79B187E47DB,SHA256=D0FDD95ECE5FAEA4CDACF82E0AD2425C1DA13375041B6AEF6834653E4E11F8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:41.124{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE708DBD898682D0A65514103CEC2DA3,SHA256=FA62A40802FC4036FA8331DBDDBA9F6A77B6C1631292BF6E949348EFD201CD24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261769Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:39.035{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51043-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261768Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:41.040{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5AB50A596F2D0617C90449308229481,SHA256=8A2FAE1CFD826D61EDB503DA6E1CC676E2E0D07EA8A7572A7FC4E0BAF0BDEB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261772Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:42.337{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B189669F695CEA3D5B93292258A36B5B,SHA256=7DC6C759A83E99FB4E0A4BE4B1CEE7DC035B70EE7B185958634464522EB905AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261771Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:42.275{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA26C9D7051273241BA9F8996F8875B7,SHA256=24C1F6CEFCC879B7844D667150A5EA70C2D3E8ADD6491048F9065A49A3801973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:42.124{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8053409051D95B87DAA332E3247BDA05,SHA256=BC61218E05E2F801B27090AA0B2EB292EF6A097D3D40F201359A2D672A5AF43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261776Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:43.780{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03AFEF17AF5861EACB064230366ED514,SHA256=F6F021CCBFCF308EF8A811841244A07551B19689D6A92072BF2DC994B0C1B73E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261775Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:40.592{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-52618-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261774Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:40.579{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50937-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261773Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:43.290{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9B6CA1AFF7DCE21EC01332075E3EC1,SHA256=BE62E85875FCDFDB35CB993F78A73D98B84A746215DD1598D08D07D9E29F2117,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:41.407{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64184-false10.0.1.12-8000- 23542300x8000000000000000299955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:43.139{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EED989E967C3D8C52F2B9AFEA4136F,SHA256=DFC6743A41F5FEBC743D62E83757AA5A063705A270BF9BDFD8A042F429E736B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261778Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:41.926{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54142-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261777Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:44.295{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E752BED8A5F32E8325F18D5BF17FC2,SHA256=AC14D46EBDBEA30A612F7D30D017A3CCA29684012060D85DF4EFE2BD4E69BB17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:44.144{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54108F685C6DA6723A4733CF2796D9C9,SHA256=8AEC8663A8925D3EC6C3339F1260FEEBD093A3AB8802313BA8D7CCC99694DE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261781Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:45.326{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97625CED459334F01AB771B4CC902243,SHA256=D4799B421D180520DE1CB1EF4EB9DDAE150FFD4722EB64FAE468CA00A9743F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:45.476{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1377MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:45.161{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3549F2D63EB1E82CC08F9F8F3DF68BE6,SHA256=092A21D19AA20589E8EE65054A0779A1DB9C927E687FC9A32BF3A06A2AD9BE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261780Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:45.264{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4424D2859C6AA433F9D0D79B538DDCCF,SHA256=29180189780DF55DCFAAD84250C84D68253C8765CBEF762FCFE5E20CC158EBC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261779Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:43.381{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55590-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000299961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:46.490{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1378MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:46.176{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDB12F54B059A8C705D0F0121225D2B,SHA256=C8DE5C936FBFFD84B317A3944EE1EA16C0B58A693BE57D38F6EC3ED4257A78CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261783Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:46.904{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5888E203B4BC743D4F498A745EA2784,SHA256=27815B5D708EEBCC46AC12E00E11D5ABCFD21AABE232AB02E3CCC457AE2D1BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261782Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:46.373{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874F8F7103C707E0B606B12A34ED6891,SHA256=4E8E33A89C1311F54704E462A6070368B3B5DF9EFB06A97E74AB6FC7F2B213BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:47.178{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0497D68E075B4C915F1DB2F41F419F2,SHA256=03B3E10C2846609E9809727809FBBD868613026A2527783AEC5DC5ADC90453E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261785Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:47.373{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACBD7F36134CD9FDA88903B8FC649FF,SHA256=77B9D60CF93536FB123AEE027593E600ACC5A7B8524986DEDBA63935F1F85E85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261784Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:44.895{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57286-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000261788Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:45.647{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261787Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:48.404{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D227572429D84DFAF317BE71D049C9EA,SHA256=03CE68BBFC1C8E2F7CCD53A364989C34E221A4FEF11E9A656D7702FCE546CDCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:48.225{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71B4C066FFC6FC2E2DFED0F0A762B64,SHA256=1965B2E0493793A2E855B168CE6FD5E10A10F317C166535AA29FB6082A6A2FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261786Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:48.295{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96887FEBA1F501500C4BD3DBD88F7AE4,SHA256=3688FA6BFBF849DC4203F88933EB26ED81D9B4EE9A1712FAF88C18603B45290E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261791Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:49.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C666C3101CCD23AE4468A51A20C6E0F,SHA256=A4AE57E55BC3FDACEFE5C19D4A972A0D2CF087BEB999720D7D93E07F71C12B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261790Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:49.451{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E8CA06FE5D9B72E2EA937020F63470,SHA256=D74D8F3C990E706E69B6BE673B2C8E182EF570B6B34B27F055ABA702C4F8CE3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:47.383{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64185-false10.0.1.12-8000- 23542300x8000000000000000299965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:49.241{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6738E3A00AED774796D1F944B17B7D,SHA256=5F901EC37AE9423109596C5821B909920A145F07328054A8DDCB93FF94853670,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261789Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:46.505{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58809-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000299964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:49.162{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000299967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:50.241{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56438BA196057A8EC6D72B55346C885E,SHA256=DE9026D579C633FF1D35C99FE973A15F66F32BBA9F42E70CCA0BCCC4A30C2091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261793Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:50.483{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2341FCBE23C543298BB62D4576F90C,SHA256=2722904C91A07E6CF09C9262E175E4C978C011EF8AA3F45FE6BE1D769652FAF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261792Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:47.848{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1448-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000299969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:49.399{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56747- 23542300x8000000000000000299968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:51.256{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF35719D5D02B6D7DCA956F73E0AC4D,SHA256=194395D8C31068D26ADE92E836A6C25FB4FB0B2057A548B0074C9C842CF8834C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261797Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:51.483{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAEE67FFEB07EB72E484DAB956BD80F,SHA256=071EF7C3B0D33CBC42A4049776FB8C001BEDEACE909F17E83696D7909C9CC817,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261796Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:49.540{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-917.attackrange.local56747-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal389- 354300x8000000000000000261795Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:49.221{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-2835-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000261794Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:51.186{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26BA3736CD9CB0F942C278409701D58C,SHA256=704A14D74B336BB6174CBE37834733106CC44CBE03A74C4D84A32001E505D3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.787{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECB6B8879C4607A1675A4592B3B62E8,SHA256=C2C41AA175D233DDABA908AA2863638A4B18AD6360DE721C59F7EF7A6FB9FE93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.616{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-938C-6149-E22B-00000000FB01}7828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.616{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.616{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.616{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-938C-6149-E22B-00000000FB01}7828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.616{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.616{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.616{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-938C-6149-E22B-00000000FB01}7828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.616{5097E253-938C-6149-E22B-00000000FB01}7828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261800Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:52.719{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79773BA01F49C2C3E02FFF7A11D4ABB4,SHA256=B6DDDBF2468E2DDACE9C3C7445BBFDA7D12AC01F118D05BDDBEA6C9438FC99B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261799Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:52.659{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1369MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261798Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:52.485{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD59472AF86A053C1814472FC7F9AAD,SHA256=38BD62BEA927417382F7B0F54489286597B88674533230F744DE59B34D2ACBEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.178{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.913{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-938D-6149-E42B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.913{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.913{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.913{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.913{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.913{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-938D-6149-E42B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.913{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-938D-6149-E42B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.914{5097E253-938D-6149-E42B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.631{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A341261369916966E7CFE5738EAE2D21,SHA256=623B68394A3E0AF8CAF06DE241D8E625FB4972A21D3EAAA2B4491261C4EA90E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261803Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:53.673{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1370MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261802Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:53.516{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2FEB2E8158B0CBA0F419571609FBBB,SHA256=7E6F6C5777C43DC9B053D1173F9B1904D77F1C87B1A2B245FFADEFB5B34E2B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.287{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-938D-6149-E32B-00000000FB01}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.287{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.287{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.287{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.287{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.287{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-938D-6149-E32B-00000000FB01}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.287{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-938D-6149-E32B-00000000FB01}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:53.288{5097E253-938D-6149-E32B-00000000FB01}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000261801Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:50.868{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4490-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000300047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.725{5097E253-938E-6149-E52B-00000000FB01}59405876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.709{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FF1BE1841FB14608A5EA7F12DA1561,SHA256=301DD790F0A61D2BCF6A2C7C44A70CA0F998702832CC8EB54FEB2FE7183FB0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261806Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:54.517{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781A12CD7EF07DD464DF8F3F87F77690,SHA256=CFFAC1493A420EE89B47245F69E1CAFD57BCF5F20C5B25F25B251A05BA925DBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.584{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-938E-6149-E52B-00000000FB01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.584{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.584{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.584{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.584{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.584{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-938E-6149-E52B-00000000FB01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.584{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-938E-6149-E52B-00000000FB01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.585{5097E253-938E-6149-E52B-00000000FB01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:54.053{5097E253-938D-6149-E42B-00000000FB01}11524904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000261805Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:51.631{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50939-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261804Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:54.251{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6B3EAF68FDEEBFC3B2AB5FF337C6144,SHA256=1E7FC2DD9001DA1C5C1A9A84E62D3FBA82B82EC0621555002CC179FF29EC838C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.928{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-938F-6149-E72B-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.928{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.928{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.928{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.928{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.928{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-938F-6149-E72B-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.928{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-938F-6149-E72B-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.929{5097E253-938F-6149-E72B-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.741{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6617CCDF54497EF83A349981D11C6878,SHA256=D03D30D8E50DDDF11DD16BE35502EAB05E127639A162C82F0AFDC6CAA1976F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261808Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:55.518{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DBDE3AEE55EDFD887009934187823A,SHA256=42E2D275583C6A6E677809C4969E2372F3581DACFC6BD436EAC268CC6F47FC10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.412{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.397{5097E253-938F-6149-E62B-00000000FB01}38924888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.256{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-938F-6149-E62B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.256{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.256{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.256{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.256{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.256{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-938F-6149-E62B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.256{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-938F-6149-E62B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.257{5097E253-938F-6149-E62B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000300048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:52.383{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64186-false10.0.1.12-8000- 354300x8000000000000000261807Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:52.408{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6010-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000300070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:56.741{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB4DB3E86CD9FFE6A18C4B0300E2A11,SHA256=4EB95FADF1440B0EB8455BBB9F9809997CC06257617B96CC1AB6D7EAF36C4A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261809Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:56.534{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60D5E9B2B02CFE3F524C301246D0604,SHA256=4B88508BFFBE7F446415D9981F1D8C9FC81EB7C19BED37FE81836D42DB766917,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:56.522{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:56.069{5097E253-938F-6149-E72B-00000000FB01}10205564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:57.756{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BB6736940492EF89E0FB5411BCDB29,SHA256=0BEE3FAD0B6D1A23F75480420839515D4C31D8875C74147B58078CCC631A0296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261810Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:57.549{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6C199BD5BF0BFFAD830A6070457E1B,SHA256=002D61AF3FDEEF7643C52713C27FCB637A02C022BB080686A2F0A3F75342CEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:58.772{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2DF86DFB56F9243EC64CBEA171F93C,SHA256=9CBBEE5C7A954E089F4A5CF3990060102BA390677A72506AF40B00595A621742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261811Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:58.565{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D2F8AA07595562FEA7A47D05ADB1B3,SHA256=DEEEC8A42F94768CC662E6F348EE04B0F404450FC9ADBE1A32B6E4C43C90E875,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.899{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64187-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000300072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:55.899{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64187-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000300076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:57.399{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64188-false10.0.1.12-8000- 23542300x8000000000000000300075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:10:59.772{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB441256AFE89AB61BDF4A7B9E1E580,SHA256=07E244EBD7B155E38C2F9A93F4E5F8FA5C3F058FC88A21FA40797869F704D248,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261813Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:57.667{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261812Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:10:59.596{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB128983F01F6633558481F850B0ABA,SHA256=C24D8D86755FB2A3950AEE30FA6C01108F649A87C722EFB82253673FC671F643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:00.772{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2FFE327D2CA4BF3733C1E57D27C146,SHA256=759328B07B5D754D1F72E8479DF279F4CD88EE9A79244CF5A6DE7ABE6C2F2CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261814Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:00.643{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C2B9415F2DCCA03143C4B0D3B37C2C,SHA256=D399290D8D736F0B8C51E5B59DFBF8E4F14462BE9B95B32489EEA140655E546F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:00.006{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9394-6149-E82B-00000000FB01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:00.006{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:00.006{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:00.006{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:00.006{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:00.006{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9394-6149-E82B-00000000FB01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:00.006{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9394-6149-E82B-00000000FB01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:00.007{5097E253-9394-6149-E82B-00000000FB01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:01.803{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6FD25895403BB84ECC391BE31A41B1,SHA256=BDF463EF38EB7127BB7ACE6B405FB4B7B45C0017318F592AB421FB1F660AB35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261815Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:01.674{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3714CA59E54F7159D38EC9ACE5A6704C,SHA256=1E7C06D3AC4B17C0E73869C2AF0A86B8DE0538FF5917401D9964E1480EE13DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:02.834{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2455965ED9D157FFD146461F7E56E5A5,SHA256=C76A848F6C2B70A130C24BA4DEA855E7F842877B6C09D960509061B03D164416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261816Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:02.690{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D21320484AF533567436879F98A924F,SHA256=87989F0B4B0936ECC9EE3704C06D55A12EFD8F163895B97D4F5B8180F1D7C81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:03.849{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04546FBBB581D89E51EAE80663E8CECD,SHA256=3983535BF6C37CC0C9DFD7DEFCCB7EE4B3BAEA4A1EC7611788412E7782BAB59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261818Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:03.749{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423CD8E186D60238AC4B5F0DC46127E7,SHA256=3A19D236793A8E9E9FF4E06AB39DBEAA4935CF58B8EAEBB2FEDBFC582B42ABD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261817Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:03.252{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F64F6D591692EB609455FC6BC12EE3E0,SHA256=67301199598C7DEBF42BAD5DF53F6EAAFBC3C8FA0C7516F256E474BAAC0B54BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:04.880{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F28D7BFC0C01D46D59F49D5679763F,SHA256=839C04874A6FF613D130DBAD49968C774F0C39C6A5CD16A139AD4B4C75BCD80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261819Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:04.749{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF3486C24AB44FD60367884E9F231B4,SHA256=D558785DB30917A36D15F6F31ADCC4EF42EB0172D3BAD2E05CA80464F092EE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:05.896{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFD776F6265D70E867CACFF5465A9F1,SHA256=EEF03F4A238EDEAE7BE761127FB4190A903D7C74A0DBE8C8EDC1559DCDD34E19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261821Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:03.523{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50941-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261820Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:05.765{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0DE82B17ED6D46EA677A30364F66A7,SHA256=0B1774C221FEF5AA42CE267976C32C78A2627521B18DE8E5662BF71F857F6B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:06.911{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F9C145AD6923EE1B1D4036CF973868,SHA256=1216FFBA0AE309B395A9D7D0F29786888E4508D264BA507D08B7FABDEA8931E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261822Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:06.781{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A905687F79F9D3596E3227F22CD27956,SHA256=119177B5061F37CB7727FB16769E8AA719BFD699285149241E7E787E58B09DF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:03.413{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64189-false10.0.1.12-8000- 23542300x8000000000000000300093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:07.911{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E0A3DB0AD6B52EF85AA6280F021DF9,SHA256=900046916E8DEB70D6A24EA034A94C8EBEBFD74F37EEC9C9C1F7A8FBCB271DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261823Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:07.781{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97935B6D14F874D0F5557236C905FBF3,SHA256=B19A5910D993D11FDAECC3866C76CA504B404A87840DC3B8C5C04DE1C7F753EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:08.927{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305E1C4F8719618ACE96DF4FC4135349,SHA256=D5D05517A6617E637DD4DABFDEE0DA7754BD97A375BFAA1077E853A23B0C668B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261824Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:08.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6D464E9A19298C476F4CB72B1A9363,SHA256=26DD9B2B438A19B1032FD1D5723F0DE25C2407F07BA6BE801EDC654CBB2EF134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:09.942{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFEF1127CDB1FAF541BD106CBED23B4,SHA256=C4C375C103ACBF1CFC71E0E743B1A0D52DF191938CD1B85B99833449B099DC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261825Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:09.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A85C5ECD29079851CEB8117C4378C02,SHA256=FC984C696EC0D8EE5C2DF23C24662F50231C88D57BCE08A6E055E34D9C0D6723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:10.958{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5CCAA9ED902D9D50E50CC42750E363,SHA256=3023B57DD2986B7064005B57E4622C25912C5FABAF41C13244230D9874F14F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261826Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:10.812{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54264CC8E0C8834A6B542B0707904047,SHA256=AFF3DF2C80AA1FFAFC1381579F45ECDF41080E211A724AC3D09B854F67D34336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:11.974{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5E10C0389E507F35E4B1AB443D93C9,SHA256=B31F9551F7DF98A5D6995A835D17217BB637BC2A21A24D9D26075CA54C228E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261827Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:11.827{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C3D1E553D514EFF36667B009DD284A,SHA256=806F5C7E9A6E3523346AE4BB5DB0066FA970CBFCE2EEE8AD9D916705D199F235,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:09.366{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64190-false10.0.1.12-8000- 23542300x8000000000000000300099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:12.989{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5184287EA5040D4C9218DDEFAC69B179,SHA256=DFE6396A86080DE82CE32AF2380A69F11F9648D9470EA1AEA88E00A2197FCB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261829Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:12.874{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493DB37E825C1D158529421C67BED290,SHA256=0AD4ABC5AEC4AE6F65CA76390672FB1772A2C8687A1235D5E284214487562FE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261828Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:09.554{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50942-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:13.989{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7128C921B499BE364B51790C68DD9E,SHA256=31F01F5FF43CC7B5971DED32601FA9475300A1387E9E9BF403B50FE8EBE92FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261830Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:13.906{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01D00093ECCEE1808FFCB7C167ABDE6,SHA256=CEB0BDFC1FA953CC2F75EA2F145F765E22791760D40EFAD6EA596E5814559DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261831Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:14.952{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C934422FA6124A30C79BAC710C3D35,SHA256=07B7398875BD37FA4CAA7FEB7A749623B90147CEC624161062500E0A6C49A40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261832Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:15.952{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8C30576A5313012D92751715B9D2C2,SHA256=64D73F0EEEDE492B37A742F6B4C61D49199325A3AFA755E05D9F18D8A68A585F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:15.005{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0D84C00D31500B4B9EF381CB0326C8,SHA256=69D7EB238D1D23B5A9D4B2D94668764F200E22AD917784A95822CE37FDCD4F6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:16.817{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000300104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:14.572{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-58032-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 354300x8000000000000000300103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:14.413{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64191-false10.0.1.12-8000- 23542300x8000000000000000300102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:16.005{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9AD7116124D63CA292DCDBC3458055,SHA256=5949F3D1EDAAF30CCA0304C0C89F578101383A655F963B27D3538ACE50BDD7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:17.005{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B63B46AC80EF0D3702C1B0A4AD93BC,SHA256=C4CAD0F243D2605B3BA866E9EFA4C183D9575F92C81472326897E9085CDC1156,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261834Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:14.570{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50943-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261833Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:16.999{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBD99212EE3D1DC5EF03D90D1ABCBCC,SHA256=A65F856D282AD82D1756F0A4F1B81FF2B3092F07A9DF2E4AB523A45142A2B48E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:18.583{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:18.021{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583E4EB9331AA4719384DA627E6AB4D4,SHA256=979977EC5DF8A8E33ED37F0C63ACD1EBEDE9252B90C7AC6051F56CD7EBF48710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261835Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:18.046{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1F929489F6975E94CF8BD6332258BC,SHA256=801D2B1174A410BE0D37D40194A2833C716BAEF1B759CB27C952311A657F0E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:19.036{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AE425158C70773D1096868EE19E7B0,SHA256=5F58816CF36F8395D73A2295598E2331C539A87EE6A4064A1C3CDFEE9C00B1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261836Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:19.077{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB095DD61B681DE076A0B179E7817EA,SHA256=2B95B8D1AC35BFA2FD346F860F84AB42B70ED05AF21EFAE3C1D77D1CD1FA7711,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261851Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.952{C189DCE5-93A8-6149-5B27-00000000FC01}36563296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261850Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.749{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93A8-6149-5B27-00000000FC01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261849Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261848Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261847Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261846Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261845Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261844Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261843Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-93A8-6149-5B27-00000000FC01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261842Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261841Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261840Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261839Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93A8-6149-5B27-00000000FC01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261838Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.734{C189DCE5-93A8-6149-5B27-00000000FC01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261837Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:20.124{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5FFD91BE2CFA920BF10745767E26D6,SHA256=F263C7800B1D3C3099616E7539536B7FDAEC7F8F88047E66BBC43017E2BC8E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:20.036{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC535451C9D5AB8E43153B741CB713F,SHA256=3D87CDD92183CA18C0E62FFC1BA4181CD6ADE89F511BE2316261C1D8378AC835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:21.052{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08B2D42B04D7AA029DC719424284645,SHA256=457F7A5DE1FD3D0CB4B4F6FF430000646F22574898ACC4708F6CCFC1603D95B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261880Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93A9-6149-5D27-00000000FC01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261879Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261878Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261877Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261876Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261875Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261874Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261873Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261872Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261871Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-93A9-6149-5D27-00000000FC01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261870Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261869Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.827{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93A9-6149-5D27-00000000FC01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261868Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.828{C189DCE5-93A9-6149-5D27-00000000FC01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261867Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.749{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=774D9F7812BB8445FEE13BC46FB3445E,SHA256=511648281F70175E131FB430504473A85D461BDC81D3D1D5044CD3D68B1E43F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261866Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.749{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8EA0FE09350BD47FA7E7C940EB775DD,SHA256=1BFAED94E0381A87B57B4A2AE49B842926E30E00EF4F892E04D22E6B4226C8FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261865Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93A9-6149-5C27-00000000FC01}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261864Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261863Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261862Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261861Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261860Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261859Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261858Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261857Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261856Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261855Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-93A9-6149-5C27-00000000FC01}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261854Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.234{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93A9-6149-5C27-00000000FC01}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261853Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.235{C189DCE5-93A9-6149-5C27-00000000FC01}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261852Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:21.140{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A1855ED43C94517DF2548EFDDB4FE5,SHA256=B5E3A7C9A767D2027CB5B7F26CA217932FA716BDAF7F92FC1AD4505F7E23266C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:20.382{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64192-false10.0.1.12-8000- 23542300x8000000000000000300112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:22.052{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65E3C2AA868CEA0CCC62356D40B3507,SHA256=61EAA5B2117089A7DB0D4E86FB4547F660F41CDBA80DC7CCDFC0776609949E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261897Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.843{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=774D9F7812BB8445FEE13BC46FB3445E,SHA256=511648281F70175E131FB430504473A85D461BDC81D3D1D5044CD3D68B1E43F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261896Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.671{C189DCE5-93AA-6149-5E27-00000000FC01}23242520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000261895Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:19.585{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50944-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000261894Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93AA-6149-5E27-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261893Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261892Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261891Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261890Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261889Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261888Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261887Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261886Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261885Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261884Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-93AA-6149-5E27-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261883Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.499{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93AA-6149-5E27-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261882Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.500{C189DCE5-93AA-6149-5E27-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261881Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:22.187{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2EA4BE617B1F600F30D161277934D1,SHA256=D245C2B70CD9E31C4E2387007A671561CD831BC68FB78DBCD1A6AABAF1B3BB70,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000300117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:11:23.364{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000300116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:11:23.364{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Config SourceDWORD (0x00000001) 13241300x8000000000000000300115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:11:23.364{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_613C4DCD-0611-4E95-B870-A6B03FE07762.XML 23542300x8000000000000000300114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:23.052{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711B78776B2BEE1090A576B781911CB9,SHA256=FA10E875B8DE088019D7A8E0E1B2AAEEE999D2EF5276CEABBFE2237578F76E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261898Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:23.218{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7DD0F5F6AB4CF59411EB4D58D03A09,SHA256=FBCFD7C26A22E010447E1C4D80E5D31BB3DB3A3B89AD590DED8BEE2575DB1B58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261913Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.608{C189DCE5-93AC-6149-5F27-00000000FC01}35802372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261912Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93AC-6149-5F27-00000000FC01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261911Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261910Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261909Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261908Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261907Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261906Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261905Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261904Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261903Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261902Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-93AC-6149-5F27-00000000FC01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261901Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.467{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93AC-6149-5F27-00000000FC01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261900Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.468{C189DCE5-93AC-6149-5F27-00000000FC01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261899Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.264{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F747C54D1759BCE7A951C103CBEAA4,SHA256=670F4FDCB3FA99FA7751E1601AB5BB61F8129BC96AA6AD0AECE6B9D668C4C387,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:22.698{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64195-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000300123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:22.698{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64195-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000300122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:22.693{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64194-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000300121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:22.693{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64194-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000300120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:22.680{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64193-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000300119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:22.680{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64193-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 23542300x8000000000000000300118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:24.067{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5BAA8853763BC8ABA5318E42C621ED,SHA256=C2E27D0FC9E0199E5BFBA90CBFE057ADB1D018F891B442FBCBE3153319EBB032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261929Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04064947961BBF4B30218166C11C224,SHA256=947936EF216109C021E7F425B8176E460A33DD420422B3183A3E28EBF24B6A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261928Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6C9FEBF1E246D4EBA409446BA49C8DF,SHA256=F2983AD6F9C61464D9604AD0B19CE28CD56BCA1CB1199DAE02D1016ED3E19329,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261927Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.326{C189DCE5-93AD-6149-6027-00000000FC01}39283936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:25.067{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94F4A84DFF1B9F87059840D3D481108,SHA256=6567107584A51A61DA9431834988B2B4282DF2C6D89E064BE3838D89866648EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000261926Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93AD-6149-6027-00000000FC01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261925Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261924Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261923Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261922Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261921Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261920Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261919Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261918Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261917Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261916Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-93AD-6149-6027-00000000FC01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261915Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.139{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93AD-6149-6027-00000000FC01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261914Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:25.140{C189DCE5-93AD-6149-6027-00000000FC01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000261944Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:24.709{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50945-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000261943Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93AE-6149-6127-00000000FC01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261942Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261941Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261940Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261939Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261938Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261937Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261936Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261935Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261934Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261933Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-93AE-6149-6127-00000000FC01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000261932Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.420{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93AE-6149-6127-00000000FC01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000261931Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.421{C189DCE5-93AE-6149-6127-00000000FC01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261930Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:26.342{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B078F78B8B712DEC6E66C2CB24F7D1FA,SHA256=F3E4B8029F0ADFF2DFD0287C4886A837A71DCFBB95D18E1DDFBD1A3CFD01B79C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:26.082{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A616A465A0358748ECCC77AF143CEBF,SHA256=2A87AD516B0FDDC6C001BA7DB6DADB0D07CB934ADC5C21CF57BAF6C3F0B60FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:27.098{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E824B9229EA85D412A9959E7C6A8B9E3,SHA256=EF4B5DA38379430D0214876E287D923218C2A487CA88E89EF3E9FDA4AF9731FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261946Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:27.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099DBAA09C9E0B3DFDA24FF0800B9073,SHA256=1C16AA4CD16A86D58AB7FB90149CD708CE3FE4D5C463F52BCB592FF1D3693E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261945Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:27.405{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801075A62B7310F3AE5916888AE64465,SHA256=7EC23E2576E4B2937E1BD8AD1D9E7019B6EE5F8A11732368F6AEA11593362BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261947Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:28.436{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D0FA91780DD9FEF4FD1AA05245F40C,SHA256=D25DE6C757A74864D68D4C86D5D155E89B3F11E60D8E761037A5F3A4E0EBD33A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:26.334{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64196-false10.0.1.12-8000- 23542300x8000000000000000300129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:28.660{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9BE05B6C269D91FB1987976718607A51,SHA256=53CD462EFAF8A6299A4E5BAF91DB30BBBDC2A74125CD76A5FD0ED855B6199F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:28.098{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65212032AB8B4C7D0E70FECF8779A3A9,SHA256=03824E250F4B89C31186633574E48302B7D69CD708E564D74C12F3DA79ECC658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261948Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:29.483{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BF9351CC2381EA98A0416A20F9EF41,SHA256=8BAEDD195929CBF2FF183A8238E278E2ED24673DC561AD4568017C19B17CADD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:29.114{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A0864499983EF9264D66324FA034B3,SHA256=DA93C35668413B703452D1897EECB796EBE5EF9A4EE1EE031847043695CD8E33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261949Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:30.514{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9D19163E011CDD0DA7E6BDEF261F5B,SHA256=8B9C90AB0A887FB6E4EA1A9D210026EC1B3C06EC9EFEBB7AD0164600F11FEBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:30.114{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F702FA7B230231348379374C8ECE7E9F,SHA256=C54E5BD301AC98D13FA6A75244BD2DA43142A870F3DF7E7DC59809D5521BB0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261950Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:31.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51E3E822DBEDAD2A82989AD0E6A3710,SHA256=691239CE52B2E9C2AFB40027AE25D6AA2ABF67A7DF30DBEBC70BF906BF94E547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:31.176{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3932866B035F45C7B0E0808CDA2C9FF8,SHA256=C601C9898797A7123853252CFCE9C85A65ABE807C406BE23A600B91127C2D5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261951Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:32.561{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EECC1D5616259B5DA3AD115722925EF,SHA256=7F7FB24FED0C2A9BCF9FB7C441FC92C75A2FCEEACAFD1F007B50BEA419ED2D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:32.192{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A4DB5767BCA7DA0E8DC871593873E3,SHA256=6DEC5CD11058714D818E5EE21352B061762C55F0B364CD1230B6C1E91772D7D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261953Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:33.592{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A88B0D328C4843FC3AA2A95CEB7E908,SHA256=FA353DC413ECDEE7C1579BE12E93142D63B50F2C4D33456033202901180A3E31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:31.521{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64197-false10.0.1.12-8000- 23542300x8000000000000000300135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:33.223{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE179993C3ED835DCB3BB0F72281C98,SHA256=087CE4FFF1CD33F59E933E80B8F9CD8D58C00DA086A2AAED76ECED7284579A0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261952Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:30.569{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50946-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261954Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:34.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36616FBA05B99A5FD5D9AFFAC2805B99,SHA256=8F4A3E23D6D0B697294F9EA77DDAA773EC0ED07C47C4786FBA7A52380272696C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:34.238{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5067E5B7CBE4C69D7914E8EBFBE7B7D,SHA256=4BF24A01F79C3F4CE9D368849E2968C3E38E2F939629087F3C19DDEADD896212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261955Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:35.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685D0A5A425102FC8C9727CEFD916ACE,SHA256=5EF14EA42D01B8BEA3418CCAB22E92C067B125BC9FEA60DC77FA2A85CF20462C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:35.254{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596EB6359FC4A6F9891B822947D6B01A,SHA256=C6EEB54184BCD96C204D941D56A268FD6D2A6C44EDFF906DCB0B430462777BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261957Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:36.639{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC4111110CA9E30B3B74EAF1330B076,SHA256=F6993A92D000A7CEB52FB5DF1A961CBACB672CB9A109721B436B780E1EFA316B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:36.535{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:36.254{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C20B1E90C20FA29229E2F46228594F2,SHA256=FE198A66A0415BCA7140974F9F97C2DBD65E700995BEF204902331E20BBB53B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261956Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:36.405{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261958Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:37.655{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D85CBAD2BED29053A6FC4EDE1CEC337,SHA256=D3D406B9F18CAD5B09B43929A1A8BDBC4FC6B8222973E20E30DA3AA0FFC96A68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:35.834{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64198-false10.0.1.12-8089- 23542300x8000000000000000300141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:37.254{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5E6EBFD5EBC4BAAD19974103B97807,SHA256=D4E604C811A5C00B6AB54B60B880A9143262045BC009540612B430E549464425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261961Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:38.733{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0A846CAB649AF32F8B8A4D06C30198,SHA256=7B3F204D50C0AA86B5F2DEF724F0AA1470F203562F438EDE5FBAC21DAA8B7F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:38.270{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3C005500E3E4FAB443E6C94E08BA2E,SHA256=D5796DF1D5081D0C3D6343551E6C77818E8A403CF8A572DA89DC3B239C313FB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261960Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:35.866{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000261959Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:35.678{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50947-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261962Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:39.733{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E384BDB66B898F262A82AAAFFEEEE58,SHA256=07BA70F8946A45AC345378593CD4B83A72F9546359846D482C81FF16AA171459,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:37.506{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64199-false10.0.1.12-8000- 23542300x8000000000000000300144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:39.270{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4317D370D6C8B1FE425299146AED1064,SHA256=2794738BA8FB72986EA376071B7211483FDD6F4928268D8A682CEC94F953F5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261963Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:40.858{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCC36B705791844781A1647DBCF001C,SHA256=ACE264256EDF10679D078994A1C8CF9D158C93CC1699D151B52A027877EEE4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:40.285{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8567A2BEF2392C65670EB943F9C37BCC,SHA256=8FE3448AF93F85FD4CAC97B8CF48769644201E33D014BEBEB4E53D486B66A17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261964Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:41.858{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A71A3EEB9E3F7C98BFE5C0C3902CD16,SHA256=92C3AFFE6E42CF2D938132328D50CC82D7AFB75BFFF1DF56499B0512173383F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:41.317{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5ACEA91AC84F5CCC985551677FCE51,SHA256=9B288EEB1FEF003C27A7D8E97E8B94F000F0655A12B0AA072D635FF4C78D3402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261965Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:42.904{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F47AE6F32903A0677A11D0A8CCA3AB,SHA256=105FCA6164EF3191DA6DD817593648C774C0B52E297395D21A801564157AA8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:42.332{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F04349A7756A516F0F111EA1F83DC2,SHA256=C36699AF035DC1F2C0A065320CDA14934E8D42F74BBB0BA3507C182E1030BBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261966Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:43.987{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15352FB72E9C724A49B47E3F613CC00B,SHA256=7D0AA237473B93AF6DAFCF9BB4ADADA0BDC537EB26DD62E006E16317F86FBB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:43.332{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E038E9D0FC4D0CD6156C6A41B89619,SHA256=16673DC8916AE76BFDD286414413E5C0E551ECB49E624F21C245346A6DC375B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:44.336{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE06595F4C42A5BA43B7E5831B0FF92,SHA256=FBAF8ED1DCA1404F376A124EAA9B390ABAA788C977C5189A35B0E963C1AC1F16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261967Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:41.709{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:45.336{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E2930A24409F7A5DF7F78035818C72,SHA256=1A77AE8C73BD05D8F040D2B362D7AA39F3C49986707B7262B1C7187B901FFF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261968Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:45.033{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8C3FFFFED6CDB29023CBD3FD0A31C2,SHA256=DD5DE75458EEE0EE66E893FF86F9DB4207DC35212E8E9804404C6502D2B0B822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:46.352{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFEB09D88D405DAB9729CB7AC042C08E,SHA256=875E634592BA27A87AAA0A3E684A7070D3D436F2FD7E47971DFC45AF36D65693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261969Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:46.080{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652619DA7FD1C974B754DFFA876790CC,SHA256=838B07FA1261D8528918E81E598280C00E4BEA3355CEE3B814732279C3A366EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:43.416{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64200-false10.0.1.12-8000- 23542300x8000000000000000300155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:47.367{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E73E2EB18693D9F4F47CAED0774625,SHA256=74737241C455E5DB611770D436834BED6C61F6CBE3A9F8361C3E3F01D145E99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261970Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:47.112{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA89DC147C3DC00E0BC0AC5B29E3F2F9,SHA256=542609B5D58AF1044CCA40BE9F07039A4C98BA9B8F678B78435FD587018BCBE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:47.011{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1378MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:48.397{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A74A51BB74078B587727E9072A48634,SHA256=3AAE69420160E6378B93BE5A3FCCE269EF7822E520BF4CE3ABA9AFC16F4495A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261971Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:48.158{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E74C18C4DE2EAC2E99CEDFE3D08FEBA,SHA256=96E9FBD0968A474535713CEDD7D5E355A9070408C7B2ADE17E029304D9B8A585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:48.025{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1379MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:49.401{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3627E72036D4DA5E1466108F036FCE45,SHA256=36A466F32108719FF9DBE44A789061038D678EB6E72D5C146B3D84123B763117,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261973Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:47.666{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50950-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261972Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:49.174{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD93D6A74F0F5999D05763B9AC72AEF,SHA256=09744E9E5B13BD51293C17A281BAD5AC0683B4BC0B1FD4C7C64C4D09C0304B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:50.401{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5E545D91AF40132F6377D3F7C6A5D8,SHA256=3142D8FBB45D5E9926FC54A1EFA57E42F5D89B62240982F0614CA2A5C834125E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261974Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:50.205{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9EEF3168BF8C85BCB7C56D9C77D8E8,SHA256=5C4FDB3F5D01C79BCA2F6D62407097FA7BBCE34027E0CA9434DE661935F92504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:51.432{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E89CC6B1EDC951D1002ED9543F1979D,SHA256=04821072877F6AB3FFA96911F577E94058D1BF835B67A3599CB89B8E800D0434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261975Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:51.237{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5ACC5C2C8DF6A0C50F737B65112F7A,SHA256=DD18ECACC6CACBA2B82A41FB2276E3E8A2D61CA018D8B010B5F4B073BBDEE384,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:48.418{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64201-false10.0.1.12-8000- 10341000x8000000000000000300171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:52.760{5097E253-93C8-6149-E92B-00000000FB01}14082920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:52.620{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-93C8-6149-E92B-00000000FB01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:52.620{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:52.620{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:52.620{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:52.620{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:52.620{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-93C8-6149-E92B-00000000FB01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:52.620{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-93C8-6149-E92B-00000000FB01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:52.620{5097E253-93C8-6149-E92B-00000000FB01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:52.448{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530D408EC81C94385DC86F9EF4F70869,SHA256=656C564C19ACC560921229CF53D0972F3EE0F4B56B11552D02B6570BB484BBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261976Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:52.237{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8F4FAB8E8393B0D93954EF8F09E249,SHA256=A2D7AFA7AA8889E76C439EE9566AB3110C386EEB35B73F891DBC25B13C651A00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.964{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-93C9-6149-EB2B-00000000FB01}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.964{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.964{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.964{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.964{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.964{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-93C9-6149-EB2B-00000000FB01}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.964{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-93C9-6149-EB2B-00000000FB01}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.964{5097E253-93C9-6149-EB2B-00000000FB01}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.448{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3A5F04E8B4CADA25CEA56D0276A407,SHA256=35E5033978EBC9E15CA0AE577C7B25C8A3DB8EA40780C9898E1B5C76A4890FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261977Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:53.283{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8F654D807F1EB21B0FE610D6CD7873,SHA256=FE27116FEDE5457F30DF46072DC0CE320440E7990BE10D6452D7ECFE2BAC85FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.292{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-93C9-6149-EA2B-00000000FB01}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.292{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.292{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.292{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.292{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.292{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-93C9-6149-EA2B-00000000FB01}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.292{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-93C9-6149-EA2B-00000000FB01}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:53.292{5097E253-93C9-6149-EA2B-00000000FB01}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.745{5097E253-93CA-6149-EC2B-00000000FB01}70127568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.588{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-93CA-6149-EC2B-00000000FB01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.588{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.588{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.588{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.588{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.588{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-93CA-6149-EC2B-00000000FB01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.588{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-93CA-6149-EC2B-00000000FB01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.590{5097E253-93CA-6149-EC2B-00000000FB01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.463{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773A326861E814803EFDFD4B2E8CE3A7,SHA256=F03C9287D1E6F161ADE37414303ECB289CA9F386221D09B82D3C2E115B4256D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261979Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:54.314{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF885C448DF8B50FFCA0C956D5FC271,SHA256=BC07F91FCD92EB4B03DCA6BF8389CC4723F49B0B11B7D36AF8EFFBBC0D1778B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.104{5097E253-93C9-6149-EB2B-00000000FB01}77646080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000261978Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:54.192{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1370MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.901{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-93CB-6149-EE2B-00000000FB01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.901{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.901{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.901{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.901{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.901{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-93CB-6149-EE2B-00000000FB01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.901{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-93CB-6149-EE2B-00000000FB01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.902{5097E253-93CB-6149-EE2B-00000000FB01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.479{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93086DBC4FEAF43F41F7123A5A2BD46D,SHA256=F0883A5294237E0D289FC544CBE85A800A5DDCB5843A81BF1F08F2511E3363E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261982Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:53.526{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261981Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:55.360{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76C85D0235FC38C671B9FF7ECAC95B5,SHA256=18C17FDC33CB2FB4F06F5C6A62E527BD3FA3E4764E3A76E1287F5CB568E8BF0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.432{5097E253-93CB-6149-ED2B-00000000FB01}69924444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.260{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-93CB-6149-ED2B-00000000FB01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.260{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.260{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.260{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.260{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.260{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-93CB-6149-ED2B-00000000FB01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.260{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-93CB-6149-ED2B-00000000FB01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.261{5097E253-93CB-6149-ED2B-00000000FB01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000261980Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:55.206{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1371MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:56.495{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A8CDB0E79694D0519BFBDC83E560DF,SHA256=21A9A61103E35D96513F20CB99A4D935A2E47D65B5BE1E55A9FE9811F56DF285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261983Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:56.362{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119786F8279E2FC6668090C26415B292,SHA256=FAE916F918A5BE6E9B0CD11B424150E151C6CFE8E3288A272AAC9194F77F3ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:54.387{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64202-false10.0.1.12-8000- 23542300x8000000000000000300220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:57.510{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC40E710E20D73097485B440EF1E110,SHA256=64B531608EF10CFD3486F6A0AA41F9C13F4181CF3CF03080987CA6F8C6F5645C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261984Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:57.378{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8B1541FD3D70441FE1C717B626EDB8,SHA256=5340728428EC68C76FB25F9FA64A8D869B19FA80DC3EEB7C2BB1EB28B9ACEA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:58.510{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BC9555CEAF86874564A368398BC1F1,SHA256=302DFC2825CBC31C6ED9E27B2035D4575E63FFC9B6065D20E9EEC59AA30E71C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261985Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:58.409{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8338FA87686ED58F9567595436391688,SHA256=119AA33503A284C6FD32EFF73CA64E9BE9529B8353BA011B4932E8B35E7480A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.903{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64203-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000300221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:55.903{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64203-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000300225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:59.542{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC5611AD5BF154AE2D438198A6958A0,SHA256=A443A6C5A91EC94804EABE299D4592FAFEC01FF874CF5C7BCD9B1FEE7248D489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261986Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:59.487{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36EE0D50CADE7839DA212D04620E2AC,SHA256=2260DF7F313177D4E80D721DB5EDB02D80F274C997FE19C9D985F443CB26AB20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:11:57.413{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om62760-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000300234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:00.588{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D948A6EE6C9C38D1CF02DC47CB5F78A,SHA256=A3C89C3EB806ED4B00930D4E116AE53F4FE99C2D737B872F3ECFD775C74E59B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261987Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:00.503{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D232B0EFF5D40D6C57B1E85D16576A,SHA256=2F5712694012A715B1427A1B5630D2C93F011E3004E4B9CFCDFC21CC35FCD26D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:00.010{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-93D0-6149-EF2B-00000000FB01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:00.010{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:00.010{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:00.010{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:00.010{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:00.010{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-93D0-6149-EF2B-00000000FB01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:00.010{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-93D0-6149-EF2B-00000000FB01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:00.011{5097E253-93D0-6149-EF2B-00000000FB01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000261989Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:11:59.511{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50952-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261988Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:01.534{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94FB7232AAE062DEDB683EA67FC958C,SHA256=035FA30D335793009E2CC96C2B48BCB4A79F6B2B9E52B9BBBAA15DDDDFEEEB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:01.588{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CDC06484805D78083EF8BCD487DC91,SHA256=04DD2908E7072B8D0B1DFFC0F96EAB040F981B30C9DBA8F3F3F7EF76FA69B4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300237Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:02.588{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D437FD97FF9D8DB6ADEF48D391A5D4B4,SHA256=813609C304A048E74FCA8B7E43DBCBDF984772820D6E4496C5487E267003AE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261990Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:02.549{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BA910CBFEE8A7DFAAA36CFF95712B9,SHA256=189547A67115749C804A8DE21D43614EF60D67E05454939A96011E305721E552,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300236Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:00.372{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64204-false10.0.1.12-8000- 23542300x8000000000000000300238Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:03.600{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890A612E4571456CE1C936FF9D273F5E,SHA256=41446FBF59D15C9DF3E6C42770E47DB4FD063DD559E395685F8A583FD39F933E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261992Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:03.563{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496C17A979E2E5C09A0CB6C4A652F918,SHA256=D6963FEF7CD9927556260DC986C2DE087B61EF3C11B5D5258EC2804AF829C714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261991Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:03.253{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EE36BDD33FBC321438E2B48232BDBABB,SHA256=99F0309FBEFF4ACD5337D347E4C71ECD99E06DEB618258EA0806C53DC371D9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300239Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:04.600{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE1C18717FB5ED14DC8508F92F2BE72,SHA256=B57BAEF96FAE3D4D43F54C82262E303017AE750634323C30C14E36B7FC01C91E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261993Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:04.578{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B6B086172AFBCC53EA853B5CBFC7E4,SHA256=5FC01A852233F7506F7DA2C429358E9C5228DEB476A2E0EF577A6959C69F3A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261994Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:05.594{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442D52BADF514576AC5B8522E03319C2,SHA256=C19ADCD0D9D338C94733187CDD3BA0DD8CB822C87328C6C35FF0E4DD28692E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300240Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:05.615{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAE915B56724AE6031759FBAF503BE7,SHA256=D85DD8A7A3906CDC0409FAD98395C9E533551490001F4DE3326C474111C8EFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300241Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:06.615{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C2DD08293BCF241B5F1F81A9FEEEB1,SHA256=AC8827837E0C31635D171A169FF9D026E902ED6EE7E0D96FAC8F00D6A1F1FFBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000261996Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:04.633{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50953-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000261995Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:06.625{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9076F2F2637146E46539F6D3348C83A1,SHA256=0466EBF6C95CFE57B9A6D949268CF365CB0D48E1748AE42BAA0A5DC7FBDCC342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300243Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:07.631{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE97B40E6AEEDA422058FBE316152C7,SHA256=927468DF3A5F76EB76BA44996589EDF422D515AB1A31BCC75B2FF625CF2B1F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261997Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:07.672{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7B362E8CE65CE85089180E05A2283A,SHA256=A4B7C417D2256F6D5AD53F66E4AD306959810F7ADA5B2658BD87F01E05D6CA65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300242Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:05.555{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64205-false10.0.1.12-8000- 23542300x8000000000000000300244Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:08.647{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBA5B897720BF5B349FE093C8DA90DA,SHA256=3A3BB63CC193C8470A14E546A098C1863068C1AFA98212A0FFBCEAEB119272A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261998Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:08.688{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA913B37B1BF8065F51F6A32E0893595,SHA256=E9CBFBEA06311D56CC93614D64C0BE39FB0AB511379361557D0486C5C32D652A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000261999Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:09.719{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA3F7A32AFCDFC6E2B629C1FCA0716F,SHA256=B2A4088B69AEFB4469F810516A172B1D296EFC2BD28A56540BC2612A5C70E46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300245Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:09.662{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B10B7E36C8F953F6B427CA7B41A844,SHA256=23811A95E519C26DC453FDBE7B454532B3CC5FDDD4D0B0D3A45E9FE696040537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262000Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:10.766{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AC35B4CA338AA3D8F3B2FD3E9842E4,SHA256=6DBAA3F27C5C362019CCDD7F455D492E836D84B2E2812CDBE520C6EAC7F7596A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300246Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:10.678{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BDCA42ED237D702AC1A8848BA6A190,SHA256=1E4781D70245104944758FBE32382A668E976D7FFDF719174C3077410822ADA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300247Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:11.725{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BB96FF0396B2F4FDEC9AD65CFD6EEB,SHA256=124946ADA910DCBE9247D6867165435980802877F12499ED81FF807A3CC1893F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262001Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:11.781{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B595588224EE3E79FD25AF34D3502DE,SHA256=8371217A2E03E80B6E720B5845096ECC667AAD5E5C8213BF45C0738ED038E76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300248Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:12.740{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED18DD93FB5F787ED6A5ACD5740FF3B,SHA256=2B15275C91C778CDE781B89F51F7B7AA0576561EEF885036E103CAD25733C39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262003Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:12.828{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F06757E3DA51967D350A87DF93A647D,SHA256=87D85586F21052999505209B3D7FF444739A526BA1FE97A09EF3F6E7E39F63C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262002Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:09.695{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50954-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262004Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:13.922{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986350AFBAF7D56A24AFA1A4B7B5C0D9,SHA256=245454D98332EFEA7D87FEC5591CD0B6D87FD0D28C8D59BF9A61E59B9FC865FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:13.740{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12849CA4AFE9B76373FC54F7706ECAE7,SHA256=D22CE6702AFF49682EA374DB9000B6A7453A5F0C64E0A7B8A999EBC66EA1BBE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:11.367{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64206-false10.0.1.12-8000- 23542300x8000000000000000262008Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:14.984{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F212A632DA4AAD978CD560C5E6BFBC,SHA256=F651283389330B1EB584D30AEB5CB5C2C02D72B9A6284C3C5708D185B085A9DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:12.494{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50955-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000300251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:14.756{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4525165342A6AE434CA45EF5D4DDB2A8,SHA256=9C082C1EAC56F80A90738D7B1E90578250B13C9F5C187AAFF668A594022828B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262007Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:12.363{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com17017-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000262006Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:14.172{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=424E2C4D4C42F72DFAAE789E86035413,SHA256=A25158C04227F97CCA6FD75511ECF3368FA1D71B2755A29F4D00DBB3AD929557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262005Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:14.172{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=815A14227081BE9B32E433C7400B85ED,SHA256=EF46F56899629B7AF32D6253D64AB81B4C25273D0DBAA430250D86580CA93744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:15.803{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7BDD98D63A1F1C2F473A201EB67F09,SHA256=FCB2F257C70587C9DBBE7E1B51726FB82B4814FEC29544B1B8AC11D5FBD4394C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262009Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:12.634{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50955-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000300254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:16.818{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C6CEDB60D6340D9A8228EF23575BBD,SHA256=C7D05F24A8AB746472D2D1CA7A0FC5085A76DF3FEA9B653FF1EF63A31F55E563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262010Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:16.016{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BB6DA798A645704A8858FD111DBF01,SHA256=8BFAC054FF6CDB6C7133E291C66996502AB59C44E56A13A799B4ACDD5925E4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:17.818{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EACA715AC5BC43E50B98CF61226421EE,SHA256=E7643747C81CD2311AD97A12BB7C75FF92EFDB686AD1538FF2669142D3CF4CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262011Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:17.016{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E35D6ACE1035FB1E96F3CD082ECAC5,SHA256=F49B65AFA75371EDD48AA7D783869043461D0DD95B993E18A0CF7F76A2446CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:18.835{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA11437BAE32A8328F2356D07965A54,SHA256=7B46FFEEA58C2AFCB731817536987478E30A7934A2596FE5FD702CAC134438F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262013Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:15.617{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50956-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262012Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:18.063{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C1CF84C39923A3020AB29E4AC12255,SHA256=A669F819C42537742C56B744EC08D78044166FB7F00AD183006C5D32207A1805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:19.850{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE668795A65069FFB7704C4B18173839,SHA256=E714FEF273501487E46284F96EFC092F81C7AB8B5CB0CA257A7E4A82B9FEEC5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262014Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:19.078{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503C9D46ECCAFED986924890FA8FC0A9,SHA256=5F4D0A4418CA33C50EEC2B22FC5155A6C1763E6DABC1A1B9C976126D51ECB78C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:16.383{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64207-false10.0.1.12-8000- 23542300x8000000000000000300259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:20.865{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DE1C7B6DE672ED6B71061125DE3E77,SHA256=A5755C0C306A0A1E07F0CCDDDD7C17B143C113D3350AE36E9B15F6F3F08CE614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262029Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.922{C189DCE5-93E4-6149-6227-00000000FC01}36083932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262028Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93E4-6149-6227-00000000FC01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262027Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262026Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262025Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262024Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262023Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262022Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262021Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262020Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262019Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262018Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-93E4-6149-6227-00000000FC01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262017Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.734{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93E4-6149-6227-00000000FC01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262016Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.735{C189DCE5-93E4-6149-6227-00000000FC01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262015Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:20.094{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A79EE8D38AA221BC5960A9DF3564837,SHA256=BFD758D9B547A64A7D04896991A51242EE34959F3C4B37F641402624B3B084A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:21.881{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2CEE9A1DF81D2411F29F8FF2F3D391D,SHA256=C2631F84FA2192F27A4B20AE97DEE010C7791952AF41965057AC67DC42A57AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262046Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.750{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BDDF3D7F378732AB46372A3F7DD0D1B,SHA256=9FB18A18516FB3FFF311B75ACAF23D36C36AC33B46FBC4CFC7A8678645EA56FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262045Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.750{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=424E2C4D4C42F72DFAAE789E86035413,SHA256=A25158C04227F97CCA6FD75511ECF3368FA1D71B2755A29F4D00DBB3AD929557,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262044Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.594{C189DCE5-93E5-6149-6327-00000000FC01}36562952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262043Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93E5-6149-6327-00000000FC01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262042Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262041Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262040Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262039Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262038Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262037Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262036Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262035Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262034Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-93E5-6149-6327-00000000FC01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262033Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262032Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.406{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93E5-6149-6327-00000000FC01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262031Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.407{C189DCE5-93E5-6149-6327-00000000FC01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262030Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.234{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42918414EA53E25FC17878FFF36FEDD7,SHA256=721DCBAAA04010652BCC87FC1EB328827BFE7C160C3C73582BD724FF11F92DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:22.897{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819E283A2708695C5F1241710752E9A6,SHA256=3CBE2AFC886E6D6FC4DB192AC88E26B75B5A62A070B81D8E665421C792FAA05B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262073Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93E6-6149-6527-00000000FC01}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262072Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262071Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262070Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262069Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262068Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262067Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262066Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262065Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262064Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262063Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-93E6-6149-6527-00000000FC01}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262062Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.750{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93E6-6149-6527-00000000FC01}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262061Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.751{C189DCE5-93E6-6149-6527-00000000FC01}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262060Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.391{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0910087364A39820AE878FED7566BA6,SHA256=A5319FAD68C89163E57923E19C61D1A08527E529C66BFD086C03B8E8924F68FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262059Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93E6-6149-6427-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262058Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262057Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262056Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262055Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262054Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262053Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262052Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262051Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262050Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262049Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-93E6-6149-6427-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262048Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.078{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93E6-6149-6427-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262047Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:22.079{C189DCE5-93E6-6149-6427-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:23.901{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95611BEE96BFB690321811794E4711F,SHA256=89709B1E938C59E664950AC44CA2CB147C409F59736482D7E82D27EFBF270CB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262076Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:21.524{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50957-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262075Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:23.426{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79909771213C55D8DF9D2D14FFC1308,SHA256=51ABF0F9AC80274C66180AC54A883E26C37ECC6B7F22479B6CD4F44FBCAB35AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262074Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:23.313{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BDDF3D7F378732AB46372A3F7DD0D1B,SHA256=9FB18A18516FB3FFF311B75ACAF23D36C36AC33B46FBC4CFC7A8678645EA56FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:24.901{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B976E6C8EFDFF80FE2BE8CB2E4B3753,SHA256=1024463F0D8E21E0F6715AD1554836FB25B11F0ADE015561019105327D0BE322,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262091Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.645{C189DCE5-93E8-6149-6627-00000000FC01}1600736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000262090Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.489{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4F1A6058160B476ED838BA912D4D9C,SHA256=2F3B888CF4DC8CCE4302ACBE0CAD177BD48D3B985E6687BC32664B1A941A4B28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:21.445{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64208-false10.0.1.12-8000- 10341000x8000000000000000262089Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93E8-6149-6627-00000000FC01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262088Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262087Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262086Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262085Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262084Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262083Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262082Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262081Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262080Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262079Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-93E8-6149-6627-00000000FC01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262078Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.473{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93E8-6149-6627-00000000FC01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262077Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:24.474{C189DCE5-93E8-6149-6627-00000000FC01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:25.917{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CEF305939B9A4DF97CAD539C9F2AAF9,SHA256=BA458D9F8897C98F214655FCFCCDF28A9DF20F84292A28A229DE5EA464AFB1E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262107Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.520{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BE3C4DE936F70AB22E0B19F4D4B2C0,SHA256=B1B6170C6A48EF99DB8630ECB58D37C9193A5087AE5C4C7F1E4B52DC0D4146A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262106Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.489{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82E542BAB7A6D21DDF48FCE250F5B375,SHA256=B766FED065CCB0E7F571B564002F2B1E445D730FF2C7529ADA1436D18A13F68A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262105Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.286{C189DCE5-93E9-6149-6727-00000000FC01}33842372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262104Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93E9-6149-6727-00000000FC01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262103Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262102Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262101Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262100Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262099Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262098Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262097Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262096Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262095Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262094Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-93E9-6149-6727-00000000FC01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262093Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.145{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93E9-6149-6727-00000000FC01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262092Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:25.146{C189DCE5-93E9-6149-6727-00000000FC01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:26.948{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99D7EA354ED0829972E0A956F9EE1B4,SHA256=1513F631020DF2E88F9F987AF0265F0329075B563C4DC221DA7AF1A1BA52E733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262121Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.536{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FFFF5AC6D7C9E33A637CB860D833BA,SHA256=5DEDCC7B7D85EA74D47AD1C01EBF1A4DBFA01591D5DD9B164F8B0D0E00635E2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262120Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-93EA-6149-6827-00000000FC01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262119Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262118Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262117Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262116Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262115Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262114Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262113Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262112Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262111Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262110Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-93EA-6149-6827-00000000FC01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262109Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.411{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-93EA-6149-6827-00000000FC01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262108Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:26.412{C189DCE5-93EA-6149-6827-00000000FC01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:27.964{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F074429C489DFDD4EF7E2607916F1CF,SHA256=2875C27D21E3FD385E9D8E3E0373969A4746F325E864AD551174F0B766F11D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262123Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:27.551{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066D5B700746C1A653297B50BBD257C4,SHA256=33D43F0F3B07680F5332B3EFCDBECE87CD68C9D3AF9A500809431A4B55F1EF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262122Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:27.442{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E137122598D94B97F902546DC2F8298,SHA256=661F1DB04735A88B3B44283660F16282C7AF521A589613C3DA67CC36AEAA6A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:28.979{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06EA7675A76E649DCC032F57E8F0968,SHA256=A5CCB1F6A8C06B38094C391AD82D66DB17CB401C7E801A8CAB41AC7D6A21409F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262124Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:28.583{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C7E2D8A73AF93C147B60D5C797B3A2,SHA256=99615851DDB88E9F9ED7EC3ED58BD0B305519033F3498E0CE5D62713906E8217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:28.667{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B6D9B046F5E0820A53434181B3A4B48,SHA256=203C64869EBAD11E29C69BC32A3EA8AC2B0DE821A4327CDF8DBFDB2E359F4BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:29.979{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC88783B2ACCFFB085B249129AABAA3,SHA256=54295FE7438BCA9DFC153B1A1076357A84F4C009C7CED5266A53064E77810699,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262126Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:27.559{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262125Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:29.598{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BFFF12F6F9CECF144ABC597022E636,SHA256=24EC7013EC990E6D1EE5C61C71A52BCD0F8C1A74FA64B9FC1074661FCC9F32D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:30.979{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6490520E2A78FDB4A08C30D2E0F3B8,SHA256=240D836C9D4AD227441A02937127F7B30CA404D870AB0DC78A08E3CBE9FE3917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262127Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:30.614{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB81B29562C8D967C2A717A5E6C150F1,SHA256=168608456D61ACB18DAFF483024E64064D82289CF433CF32D2A8F81091C3517A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:27.465{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64209-false10.0.1.12-8000- 23542300x8000000000000000262128Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:31.661{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3520BC41BBF3FA9E3C71EB3683FAE5BE,SHA256=1430BFD5907DD99EE0E633A498FAD56BA37631F36420224EDC62B1578B560094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262129Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:32.676{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D2AD9B3062443EBE616636F9D9F68C,SHA256=EB2B5E29703F56AF5B50E4025693F5F81B3EA5EC2FA6850F4B522E2B7F4D26DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:32.011{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D3CAA6EAA204DC7F19C0B0D2BC642C,SHA256=3B6394FF86F353741F4FF15125ABD906F99504DAC4A865E4E76EF1C4847C70EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262130Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:33.692{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E366F16C00B6DDCEB20FBD17220746,SHA256=53494A3BE03ED0DEE62D9C303D4287F99897AAC6079098FEAC2CC709775D9BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:33.073{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A67BDA1CAE0FA580DEC20884FFDCC7B,SHA256=5C8B3506468217470BB4EDDE3797AA58D4AEC38A564C6905C1B65AFA1A7173C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262131Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:34.786{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F32A02A3E69D5DCE790CB9C280FB562,SHA256=83EA93E0D9696597417560E8F57D0F3692F4CF55822BF691019BB77397341BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:34.075{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7489837EDB1EE01C609B7ABE9DD29EAE,SHA256=1F03593E96D9CA619DD08BF1BFF47587165B18D0446BE8401E4EA9CA1B6FC826,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262133Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:33.528{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50959-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262132Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:35.817{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D90902C8E90615292D1F38B3F22EAB,SHA256=0A704A8B2197BCF342644BB1C2A59A90E1944F06B05E448A278228D2BE38D8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:35.294{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4BC1941158F7F00F9CBF28B408D532,SHA256=EB301FD7C2E942AC9607D70C5131BC1CF8CB5F3F515BB880866E823A44F799F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:32.935{5097E253-484C-6148-4400-00000000FB01}3708C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64213-false169.254.169.254-80http 354300x8000000000000000300278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:32.840{5097E253-484C-6148-4400-00000000FB01}3708C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64212-false169.254.169.254-80http 354300x8000000000000000300277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:32.796{5097E253-484C-6148-4400-00000000FB01}3708C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64211-false169.254.169.254-80http 354300x8000000000000000300276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:32.795{5097E253-484C-6148-4400-00000000FB01}3708C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64210-false169.254.169.254-80http 23542300x8000000000000000262135Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:36.864{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE21D2AA982A8317ED87D478F8A70F63,SHA256=AE303E8B7BCB3845F0A0BB47FEA5BAF8975B0C4AA1F59CE1BF71779D8B6F5F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:36.559{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:36.325{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B171408E5DB54C1C7AA2C85428335D,SHA256=0C00FE8F77DC2EB43028BBE63E1C4FBC0E722033EF25B81E50E22EA69E7B503B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:33.452{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64214-false10.0.1.12-8000- 23542300x8000000000000000262134Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:36.426{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262137Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:35.888{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50960-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000262136Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:37.911{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F188223740974C5798FD9AC5F229FF,SHA256=42ACBBE253D21CF6D31A225D0763BF37F5C1FADFE1D806D9DB810245B2DD72E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:37.340{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CCE55F253039507B26BB92B9E6A77A,SHA256=9076ADB94BDFDB0F666A1BA1EA41B4EBF639BE85D71672C27FFF1DB26F726EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262138Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:38.942{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CB4247F361BD5914EC5E0FAFFAAE56,SHA256=737A4046F3851B1AB31696F1832123309B86F8A5C67DE75CC46883B011F6C95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:38.590{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EDDF8E2D7680E6EEB79B1575E94AD45,SHA256=F778CB6C995679CFF0627652B79745527063A744DD7526CFB28058A85A7426DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:38.590{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D3D8AA434954B4E70D448A28D2447E4,SHA256=5165EF2CFEB46C056C344929E5205236547605846040CE67CD138A6C4A1578E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:35.858{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64215-false10.0.1.12-8089- 23542300x8000000000000000300285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:38.356{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50014C8891AF1C4F7BE30C2D33DD5F4,SHA256=D71F48C6012ABB34EDAF8681CF2811710079325925867CBA54072C522A970D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262139Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:39.958{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD7C4FB5F62DD2F2C377BBB349A711F,SHA256=B97E9B2716D5CB8B382F221D8A9F9AE5472E3E2B77AE66ADE88698C0E1474E5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:36.891{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64216-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000300290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:36.891{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64216-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 23542300x8000000000000000300289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:39.387{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B0167F6989E6FED43E91C655FC8667,SHA256=0D94BABADF9A6092DE88F3C3774D07598AE3043171DDF69A51BAC2C8F80C9748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:40.419{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFABEA2474273D38D369E1D2B1BCADE,SHA256=2B503E6B0D7325680D950BEFC59A55C4D77BAABD6CE550075F48D3D31D279FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:41.434{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DFD3A41339ABA8964C587A621D3F97,SHA256=7C6B73B2F71BC6891A106230099A85CACDAE5D225E4C034A54425499E4541CE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262141Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:38.559{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50961-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262140Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:41.036{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12B0AC41B6F65AE8A9EA438E027F0DF,SHA256=9DC2CF5935BA0EC307E10A12389561362675606B740960899B7349B9808D4220,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:39.436{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64217-false10.0.1.12-8000- 23542300x8000000000000000300294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:42.450{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CD76DBAC5D9C63505CF48BB6FFE3EA,SHA256=7C57CA4A7198115710ECE3AB274A6E0C5B4B3BB648506E02F98E20187EBC71E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262142Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:42.051{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE60BF25A7B131A53F4FF30971CFC91,SHA256=75691DA9D3A9BA4A3519F432620E9FD3221D8D4082F85EA5ACD948DA925E26A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:43.469{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4C9A420BF45DA6902CB5B571440FDF,SHA256=36F0C7D68991C781B316D4223DDEB75F02C93DB2A0D47807B309CD531EC9E9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262143Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:43.067{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8336EE9C49CBBABC507EEE3385305AB6,SHA256=A7439D5C0C3B233776F9F33EC82BC1B60160224AE3C5FBDEDD68C92140C7CA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:44.484{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5634076FC865365BB9E4A27A27A428A,SHA256=0C06FD7E0E2CC800BE456C4E636D66F5349F13A0530CFC0581B79A78CD84D18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262144Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:44.088{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBC9EF37A68D3C528C72F7D543D904B,SHA256=9C5812EFDE4949D32AB5D50E3090AC69683F244091F771CD0F59A42E32B77D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:45.484{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C34BFEAA79BB8DFC3B814A5121FD31,SHA256=2F6446C7ED59FFA78F599A99BB29E427703EAC68B74F9E798F4DA0558CB271AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262145Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:45.135{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7617CF8464DD9172557AD72AB4A2EDDE,SHA256=79014B2575A497915708FE7414DA0D738D44F78554A25C8BCEE97235F7381E8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:44.533{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64218-false10.0.1.12-8000- 23542300x8000000000000000300299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:46.516{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4A0ABC7E9F95BE6BA72113FBA18388,SHA256=4A09457B9EF680073E4E0F9E82D8698365DE5E8C4C993488355776F48A43B220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262147Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:46.166{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04C98FED371637EFDA5EA9EA2846C72,SHA256=D400F4F04FF7B45E4981CC6F80EBC6B74DB40D93C91955BE568092BCA7A89D41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262146Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:43.565{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50962-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:47.531{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7494D8D92A7F034A258C2E1501228B0B,SHA256=78658F5C54D8E52DB98A53A54C15F8165838DD5E0CE3CA1C54AED3E5BB4E2404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262148Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:47.213{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2AA1B7B2C340E2AD51043F8DE9F5F0,SHA256=91AEDC0F7371E19A8FB2B1468ED5383B58121952781CBD5801CF0AD20DF8F399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:48.552{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83698BFE4DEC201CA6381BE12D06BEB2,SHA256=4E800013C58857A62B92989E68987EE2393F3F288098BE1F62C65DE9892FE95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:48.550{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1379MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262149Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:48.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7473DF9CE77D21534699C60B610624,SHA256=371815EA60BC9A25F0E5CB96A29C412000CBAD287B89CE96BE7B9492676293EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:49.555{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DE4FFBCAECCDE88C7C3D9A02ECAA482,SHA256=5FCF86DC3D019FDB49EFB9F6155B641387C8A2B694C2656449E73E4A3A735F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:49.554{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1380MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262150Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:49.275{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFC956EF85C5F7783E69ADA3DCE640D,SHA256=3346AB2C6DA77E792DB0CF6C89E3E2F974281ADFC6EC21876D7DF37FEE4228B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:50.758{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441C9A9CD538F874BF9480C04358CDAC,SHA256=E98B419B0C256817EAB1113092CBB2E430B3A85DE4895FF50EF99DCF99BB82DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262151Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:50.306{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528098638A8FAD3B42C1FFD467770A99,SHA256=424264137FEB581B51EF0EF7AF223BB1D2A0EB87C24757D96688371443C10CD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:50.164{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000300312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:49.557{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64219-false10.0.1.12-8000- 23542300x8000000000000000300311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:51.789{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C8D73012D5EF25CB433A340EAC2892,SHA256=DC8631FEBC4021BA6DE181151588EFEECB68CACC18D67D10077949DA9DCE3F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262170Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.322{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FBB2E3448D36482300C68C590A2FBC,SHA256=394742793B3135B1EA6F8526169B3D7D1636DD46ABED8ED4392541D69965FFB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:51.555{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:51.555{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:51.555{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000262169Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:48.642{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50963-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262168Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.057{C189DCE5-4A3F-6148-1600-00000000FC01}1168NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262167Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.041{C189DCE5-9403-6149-6A27-00000000FC01}30361396C:\Windows\system32\conhost.exe{C189DCE5-9403-6149-6927-00000000FC01}2940C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262166Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.025{C189DCE5-4A3F-6148-1400-00000000FC01}3721080C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262165Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.025{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9403-6149-6A27-00000000FC01}3036C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262164Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262163Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262162Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262161Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262160Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262159Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262158Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262157Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262156Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262155Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9403-6149-6927-00000000FC01}2940C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262154Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-1600-00000000FC01}11681084C:\Windows\system32\svchost.exe{C189DCE5-9403-6149-6927-00000000FC01}2940C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262153Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1600-00000000FC01}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262152Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:51.010{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1600-00000000FC01}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:52.805{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB4D9A825CEE5603E74F2A491A8C7C2,SHA256=D4F226AF7B361C546CCF8FD7321F04A1744C5E241E38EEDBC5E03A77EF8622DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262175Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:52.353{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C98C4F26FF00EFA4564EAF13F84E669,SHA256=6E274EB1F191205BF505AF496FA6BF4E74828D59C245EE98AF8D8376C86ED8A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:52.649{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9404-6149-F02B-00000000FB01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:52.633{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9404-6149-F02B-00000000FB01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:52.633{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:52.633{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:52.633{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:52.633{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:52.633{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9404-6149-F02B-00000000FB01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:52.634{5097E253-9404-6149-F02B-00000000FB01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262174Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:52.088{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6095BE099EFFC720BAD02599860FFC48,SHA256=C53EA0AB25DEF7BA69A15E0E3D8AEB6875AF475927CCFA0E6EC80D4D23C8DCB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262173Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:52.088{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D996989C186A8D65BDC920092C82039B,SHA256=F7607F00788D123E9A9AE97EB92F7F2B2C85B10134A97F7A087D3A673622DE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262172Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:52.025{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=940948E0F8A7BC63716381A49E2C7973,SHA256=5C6F48376384396D546CAFF941DF4B078D354E166B54E3CCA7AFA8EA2342ECB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262171Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:52.025{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F27E0039D33D301958448409A05F54A8,SHA256=AD2DB3A7D816B656BE0DC2C741AF8E0FC3653C270FCF665245ECC168D8CDE80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.805{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478833A17731FEE1464536144D28076A,SHA256=FC95A7C005980060A5760677F977034DF119319C67CFE3ADECB6FFB8B7C0CE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262176Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:53.416{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B17122E2B84D86660EF529F5436F70,SHA256=F1F8322EA7C40D17CDC5B0B2CF4C0A77AEA7A865743878957E53605DDB9EF133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.461{5097E253-9405-6149-F12B-00000000FB01}21045300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.430{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.321{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9405-6149-F12B-00000000FB01}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.321{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.321{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.321{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.321{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.321{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9405-6149-F12B-00000000FB01}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.321{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9405-6149-F12B-00000000FB01}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.321{5097E253-9405-6149-F12B-00000000FB01}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.836{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE5E628EA2E784631B7506BDFDDADFD,SHA256=D35741A64DF13737245AF63428D0FD705025B1B6F5EA471CFA83B1F6047A4DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262177Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:54.463{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727676758DA8B466353E6D623BB6FA51,SHA256=F584F546E578FDA9746257CDDE018E56A35393AC2926E17CFD97B5038BED8F86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.805{5097E253-9406-6149-F32B-00000000FB01}66326584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.664{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9406-6149-F32B-00000000FB01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.664{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9406-6149-F32B-00000000FB01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.664{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.664{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.664{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.664{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.664{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9406-6149-F32B-00000000FB01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.665{5097E253-9406-6149-F32B-00000000FB01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:54.133{5097E253-9405-6149-F22B-00000000FB01}81365260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.993{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9405-6149-F22B-00000000FB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.993{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.993{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.993{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.993{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.993{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9405-6149-F22B-00000000FB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.993{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9405-6149-F22B-00000000FB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:53.993{5097E253-9405-6149-F22B-00000000FB01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.977{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9407-6149-F52B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.977{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.977{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.977{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.977{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.977{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9407-6149-F52B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.977{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9407-6149-F52B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.978{5097E253-9407-6149-F52B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.852{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A6D4C957F8CCDD966C394C992493B4,SHA256=80791B8C021EB7490961B4BA3AA16256F0435C68B08AE3DEA67FF2627D741EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262179Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:55.734{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1371MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262178Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:55.465{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFA6EEECCA55BC183E3F91578696D2D,SHA256=5D285634283168673B408841A5BDC5FB3F520C803A0F8B2E88F97144E0FD19CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.477{5097E253-9407-6149-F42B-00000000FB01}70445032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.336{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9407-6149-F42B-00000000FB01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.336{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.336{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.336{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.336{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.336{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9407-6149-F42B-00000000FB01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.336{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9407-6149-F42B-00000000FB01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.337{5097E253-9407-6149-F42B-00000000FB01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:56.883{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3F2693202765AD99B04DA7D68F6C79,SHA256=DE08579EFDF795EB6ED2A4F1944960FEAB8BE24338E2699CCB59E0A5DFB074ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262182Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:56.732{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1372MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262181Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:56.481{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC18FD23958BD47FA772B6700A08ECD,SHA256=068CD2C7A1CEBCAEE88F69ED331E48FD526B2718848845FF0C29B42EBEEBC488,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262180Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:53.721{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50964-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:57.899{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9DC8070C9A15575A22041BC0EE6A36,SHA256=6C3FD4F13658ED432538B47CCEC48513F5FC0D058DB0EFA84AEC453272F2491C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262186Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:57.482{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1B57F4E981400C6B1D66372B11FC63,SHA256=4DDAC6ED94DC62D71B91B0D95E1206568F9987B4268E107D11CA363D8CDDDF67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:57.336{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262185Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:57.341{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262184Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:57.341{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262183Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:57.341{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:58.930{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD0F0D651BBA66B95CCFFE870D2CCBD,SHA256=D37F33C0DC17195499D420DA64AD3473CD7ACEE41B944383B8822F26B947244C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262187Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:58.498{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C42B48118707B506E994835AB0D89F,SHA256=FC58186982859AE068D6559D2CC35FD2D71EA3B405738E81E991C0AAA692D62D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.916{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64221-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000300374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.916{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64221-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000300373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:55.525{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64220-false10.0.1.12-8000- 23542300x8000000000000000300385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:59.977{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EA13DA1D463A0CF761153D0513EEBE,SHA256=0CA5D8B225A814FC6B3F163F45E3D0C088B4150FF4B1E8387E776A400D057A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262188Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:59.529{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA4F44C4CBC7BCD37B49E023A46AEFF,SHA256=93FFD6719C0200F5239743ECF1C4872E5CDCC05A96705FAA9C7D1A0BB8A12FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:59.867{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-940B-6149-F62B-00000000FB01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:59.867{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:59.867{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:59.867{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:59.867{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:59.867{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-940B-6149-F62B-00000000FB01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:59.867{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-940B-6149-F62B-00000000FB01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:12:59.868{5097E253-940B-6149-F62B-00000000FB01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262189Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:00.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1C9E0BEAB4942FCFEA83635FABCCC4,SHA256=D0F01AF431B31FB0D12B25BAFB4EA5C582B15CB46F642BFAE76F955D3598F957,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262191Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:12:59.678{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50965-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262190Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:01.591{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54503D0148F809DC0E446360378EF5D,SHA256=80CBB00B65D297E865ED76A57D8F52D6485662AE38D186E424BC5606D1D889C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:01.008{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A353A5169E12E374A7AFEC297F8AAB,SHA256=8FFC47C98C758CB929BFB927476A1AF4E91C919BA53F46CCC9EEAC54BA2E94F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262192Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:02.638{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F4286F7CACC7ABEE5186602C87AD5C,SHA256=59ACCB43F32A616A46F29FCB07806ED2F25AD4DA241E798153EDF5B2011D74D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:02.024{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9CB3E63296DA2202799C3EDDE886394,SHA256=E0CA57F5BE5FBD7331E460E8B13B3F7AFC2AD0CD29CFE38E823019D1EEA2510F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262194Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:03.710{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6EF17D6F6810A3644E99E01FFF0C17,SHA256=60FEF1ED6D5614CCA0F90B8B68F655AD80AD1FD3AAA0130893B9B442023A89D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:03.039{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556E6E3EBCC74EA8C1FD7D05EFDCDDFF,SHA256=988476A246F8076297FEBB68721DF62EFD5AA69015AE7295342402E23C6FE8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262193Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:03.263{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CE022ED649ADA20E5A8A3164A7E7EA22,SHA256=DF689E3ED19E79B5B85AC2648816E091340F11FE069767D2EEB3A842070469FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262195Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:04.726{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CDBA732F2298FBC167024832F3FD34,SHA256=9271613EF3B7DCA4D53794D44807739F90CAF874E44F41914252165AC30DD481,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:01.525{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64222-false10.0.1.12-8000- 23542300x8000000000000000300389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:04.045{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD83F478AD6D932F7D0D20C9F3EB7BA8,SHA256=057B78749B9D8D3E904D92B763FF3ABE6EED20937382E7604BB7A6335B3FDB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262196Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:05.742{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DF150456F0DB4CE5DEFCE0D0D0F695,SHA256=D1FE25AE5AF3C4DDDDD3E739027A245DA7101AC7FE367F57C59D3FCAAC9A64FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:05.076{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3CDCC9245940DECC225587F9515C54,SHA256=87769ED53DFF4AC62D4DCCC937532B1C2BDE28E934C3A7B9B2AEB8E1F9EC3CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262197Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:06.788{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71D93EED7E11176D00556FF74BB18D8,SHA256=42E55945CE5535BF16EC8C1CF2522763C8C5645AD7AFBA52F18D726B829076F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:06.107{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35276A02CE6987CCB97BFCA260DC23DE,SHA256=25D5141E5927F399E9254FA83D58617087200569250D60FDA3ECFF0C970E619E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262199Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:07.804{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0065D848000C7FCF352FDBC66C82AF4,SHA256=A31036890DDBE9407765674B58054A8A0253C90EE1F44353888722146CA0A474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:07.108{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1BE8D8D8C6839D429B848B7DCEFED7,SHA256=62526F1FDD49976D4ED9E437E4A49F009F9ED8E7731E6690514F11392C95A1AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262198Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:05.687{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262200Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:08.867{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591327CB82AB5195FB9C6E2D9CD3E70B,SHA256=2E2ACB0AA23CFB10F85408DED951E5BC2445D9B275C6D17639512AAE035BEB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:08.123{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B717F4B5A34F409E90D8ADEE83E0850,SHA256=5AFBEBC17B81B4390A263831815F5BA3CF57167FFA68CD095BCE22F5E014AC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262201Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:09.929{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A658ABD8F233ACD2DA8B283948DDCC,SHA256=F848A7BCC766C6C3CAFD2A0A413142D5A9EA133D3DEC6542B72C82C9960D1F02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:07.453{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64223-false10.0.1.12-8000- 23542300x8000000000000000300395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:09.170{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDF725250907BD91CA85DA9ACE86E9D,SHA256=FCC5488110D8C396EF0974C2C52ED8B8E880CE7CE0DAD860FE26077E5427B0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262202Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:10.992{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E81CF03884865D74A32C7CEF83BD58,SHA256=BBCBC1BEB167315E37FA24EACD9C85291404AA1F4A1E98ECC3B9E6C7871EB4E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:10.170{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EF164FE2517A451D0FF0ED7AEAE952,SHA256=994903A1AA8B3530F95511FE6E10F2853BA5CA38A86B199414B6E7AD4E48763B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:11.185{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B1EBCA1B1D0169BA87F7BBE2F07DAD,SHA256=AEF688A33636C8E9EE086FCA86F8BD00DAF42AEA1CC3A71BF8A9817F8C5ECE46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:12.217{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D2B1F66534A258A0A496AA8E6F36E1,SHA256=36393421048D8AC63D526807B94E67C5FD772C6D3D20C596900C2556456131B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262203Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:12.007{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD3C47A075794A68DB2231F58F1A67A,SHA256=B6A1852EA8C4E50EFCA57076D9AE10B273209E5D1645B83C6A91EACEFA1AB36C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:10.719{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-50999-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 10341000x8000000000000000300435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.420{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:13.232{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFAFCF14343CBAAA71EA4CEDD3E9E41,SHA256=3910A571E3F0E54358D449D926D965399ED8FB08A59D86B08135E9DD4F57FDAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262205Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:11.515{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262204Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:13.054{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF223BA4AF901DD7919AE895BDDD4E5,SHA256=15E57050A401B234A1A9B58D8C8FF5658A5FB2EEDCD4B37B0EED1BD9F2AABDF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:12.453{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64224-false10.0.1.12-8000- 23542300x8000000000000000300437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:14.435{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADE1138E0D0A5D8F7A723ECC54B5A59,SHA256=AAC8E68B5161F26AB3BC84BEF14DCE27C0C78704C1370E0C8BC1307FE5AF53E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262206Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:14.148{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE051922EE385235F996A21D7CFF4B35,SHA256=B46BC3F649179CC14DE6ABEC7A219480871740FB266187484B86FB0F48BCF309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:15.451{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEF144DC1A07DEEE4E26BAEACB11F4F,SHA256=9F5507BC194EE1BA29B6FABAFD9DBDD8168A73FFFEBF0B4CF5A36B6047E3C54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262207Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:15.195{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986383222D5B43D7FD7EF10F7BE55CCE,SHA256=02B770EFAF8CD3FF75C2A4FE9E128B1550A77CBC7203BC0FABB1BC77D41E23FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:16.451{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2593A5822BDDAAD18215B4143D1F53,SHA256=2D8F3E541B3D8EB9ACDCDD1D1C07A6E6E7D25F30063CB1248114F0694B996780,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262209Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:14.726{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-51453-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000262208Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:16.210{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4DD9955FE855FE064CFB0625DA3C8D,SHA256=50445B99D3841F9A553A6B5ADC7311E740EE1CDA346048E24FE09F2D95330FE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:15.494{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50968-false10.0.1.14win-dc-966.attackrange.local49676- 354300x8000000000000000300442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:15.233{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-52158-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000300441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:17.467{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931895091901533171F9E477FDD2F5C6,SHA256=5780ACEF1CFBB1A74D75052941EC4AB653F12E9343FB1FE278A7C38986FAE582,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262213Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:15.635{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50968-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000262212Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:17.304{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B268A9860E454F4D2CC73945F3822F,SHA256=6F90A19E2C257C000E0A89F071AFBE24B9CD5813A68C416A1449ACA2D7F1BB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262211Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:17.163{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9064A72255859C75BFB08EC09E7A56BF,SHA256=E1CCF413F801F99ACBBE90BC887058E1A2FFBAC4FDCE38ED84167BD5A99485DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262210Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:17.163{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=940948E0F8A7BC63716381A49E2C7973,SHA256=5C6F48376384396D546CAFF941DF4B078D354E166B54E3CCA7AFA8EA2342ECB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262215Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:16.671{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262214Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:18.335{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5FBB546B018880B6D04D03596EB481,SHA256=5829892C524DAD386F9CEC901A3C79720DF025B3D0B55505C03C1F3BB7241F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:18.482{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055B625DB3F0580F2FEAB34A94087ED0,SHA256=B2F7F3478A5E3C776D1E3223596ED85AF6BCEBC1CB4C030F021EF35A1B0F232B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262216Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:19.351{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A1B105E6C711340D725FAE89940E24,SHA256=F000C759F35FFF9460F0DA93741C800DE566B34B94A467C8054807F525CE1659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:19.498{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BC72A96DBCE8459FD29085118C50C2,SHA256=20E31C5993F104AECC3B17753C78B0040DC9063289D8DA7D39AEC5829EAE32DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262231Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.898{C189DCE5-9420-6149-6B27-00000000FC01}39841868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262230Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9420-6149-6B27-00000000FC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262229Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262228Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262227Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262226Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262225Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262224Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262223Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262222Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262221Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262220Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9420-6149-6B27-00000000FC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262219Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.726{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9420-6149-6B27-00000000FC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262218Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.727{C189DCE5-9420-6149-6B27-00000000FC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262217Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:20.366{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F38BB4B738590C0BAF6BD7F0883991,SHA256=10AB42BA1F0F04BE5EDF73CE027C6BAA2AF2BEA659B3FA53058151510E7D4EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:20.513{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791C4F1E598424DB8A056DD22F7659D5,SHA256=6B35E84ACBB1BE6E73731DE07F1036DEC3955F1CEE83E7FC4E2393970A5E9EBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:20.326{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262259Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9421-6149-6D27-00000000FC01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262258Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262257Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262256Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262255Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262254Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262253Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262252Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262251Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262250Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262249Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9421-6149-6D27-00000000FC01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262248Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9421-6149-6D27-00000000FC01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262247Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.916{C189DCE5-9421-6149-6D27-00000000FC01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262246Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9064A72255859C75BFB08EC09E7A56BF,SHA256=E1CCF413F801F99ACBBE90BC887058E1A2FFBAC4FDCE38ED84167BD5A99485DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262245Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.913{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEC53D9156FD10842553AFB680908E7,SHA256=E1B856686D1FFC7BBEE62CDC77281BB6C094947CF82BAA771B5DEA3ACF258A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:21.529{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82A514D29C88F3EC3902E63B219CACD,SHA256=F75998DF42AD100C0F2B93796C28EA156693CD836C0A799997B0B76DA114AAB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262244Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9421-6149-6C27-00000000FC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262243Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262242Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262241Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262240Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262239Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262238Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262237Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262236Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262235Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262234Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9421-6149-6C27-00000000FC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262233Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9421-6149-6C27-00000000FC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262232Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:21.398{C189DCE5-9421-6149-6C27-00000000FC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000300448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:18.406{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64225-false10.0.1.12-8000- 23542300x8000000000000000300450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:22.545{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0608D2C08D650C07EDC2507C764458F,SHA256=149BC94B26CFA943E1D324F64CF943307A005EF33E1B7672B2956A90FF69776E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262274Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.945{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A78B15997244D6F1A25AFB31F07D3B68,SHA256=5D41C97B1D0F17B07DE7FDC58FF3B8956F0E5D56DFC4262D3CF32D633F5C1D4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262273Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.726{C189DCE5-9422-6149-6E27-00000000FC01}31323232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262272Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9422-6149-6E27-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262271Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262270Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262269Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262268Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262267Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262266Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262265Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262264Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262263Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262262Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9422-6149-6E27-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262261Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.585{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9422-6149-6E27-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262260Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.586{C189DCE5-9422-6149-6E27-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262275Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:23.148{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FE320E19E12AEA7C0624A8B5FF8E87,SHA256=F69D9CAE953AAEB178F7AC140E095B126617BA17529A75BAF4A4006447234DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:23.547{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBA85DB680523D7151BB4FDBD6E4E4B,SHA256=8AB37AB3298EDCC63C2BAAD491FB9AF339E065CC4E0C523AFA187180B95EEFB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:23.201{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:24.547{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CE647234EB40E8F17D1AD20C638940,SHA256=E9C8F17FCFBF897A41C18D2385FB895CCBD3D4FF768DBEFD64E8746DA3B343FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262290Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.634{C189DCE5-9424-6149-6F27-00000000FC01}20843492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262289Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9424-6149-6F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262288Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262287Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262286Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262285Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262284Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262283Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262282Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262281Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262280Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262279Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9424-6149-6F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262278Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.446{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9424-6149-6F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262277Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.447{C189DCE5-9424-6149-6F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262276Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:24.384{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01C5D3847D4692157B6D5CBDD517DB1,SHA256=F9A412339EF52EDD6DD27A55639A19B697F992F72A15533BB3EB5BAB4BDB1AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262307Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.462{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C028907C384C1B6E8F783E58ED18365,SHA256=8947AB4FAF6188F6CAC2E6B2009112E15424A5C10842C567C0CA3B69CB537424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262306Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.431{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF59B3BFDFB52A79049BB1F61B1F5697,SHA256=73B344874EC9C8069B9E7EE0B59EF6A7AB36C915A9EEBF540377D6AB8F94C3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:25.562{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA97ED15879013FAEF89E2F1AE6FF4C,SHA256=998036827AA4B25DBE33DE1A73527524EF5A26EFEEC719F5992C29BB0CE3D056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262305Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.275{C189DCE5-9425-6149-7027-00000000FC01}2308368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262304Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9425-6149-7027-00000000FC01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262303Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262302Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262301Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262300Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262299Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262298Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262297Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262296Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262295Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262294Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9425-6149-7027-00000000FC01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262293Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.118{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9425-6149-7027-00000000FC01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262292Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:25.119{C189DCE5-9425-6149-7027-00000000FC01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000262291Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:22.671{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50970-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262321Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.478{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3245725F9C59080D98FAC14C2191E7,SHA256=EA85773F8B74DA0DD89B7A58483E9B234DB40A6C698852BA1B0BFD492B3E9A68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:24.330{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64226-false10.0.1.12-8000- 23542300x8000000000000000300455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:26.562{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76427766FFBB82AE332081A5492183B8,SHA256=8DB389C6E4001D501703E1674DAEFFE6211EC7F35E4DEED69D1E48E37835DD8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262320Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9426-6149-7127-00000000FC01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262319Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262318Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262317Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262316Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262315Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262314Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262313Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262312Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262311Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262310Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9426-6149-7127-00000000FC01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262309Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.368{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9426-6149-7127-00000000FC01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262308Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:26.369{C189DCE5-9426-6149-7127-00000000FC01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262323Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:27.493{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3F2A2C39421CDF518BB58F4BB43F8F,SHA256=EDC00D51F9DCABE42E9328350915A93913BD2688612C050CA31272785D2B4DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:27.594{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FC59D71AEBEC42ED0567E3D4D3DB48,SHA256=0B2967D2286D9C6609D87845F6946167EC81595A27171F817AC08FE2AEBFB949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262322Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:27.384{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=756E6801EA06BA89CE93283FAD48F7E4,SHA256=6E39357A7423866808BD92C6D9CB58157ACCD822B99E7287B6C3E8399558D309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:28.672{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=75A88DA499583AB7A96C352A227E9EEC,SHA256=05525B30ED73417C7369A002EB71D83F9D02BD806B90ABEF21BC98DF6D7B0318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:28.609{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66AEC5FC69B180CD1C4D1190B1BE7A2,SHA256=699C48E7813444D44FF0810D77397C11C290747A3394E4ED74F45B405DA4AB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262324Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:28.509{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C9B0FFF721D1851769E70B01B63B91,SHA256=366BED41B487330DFE10024A774BF2872CF9CA74A9481AFF0714EE08E0999DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:29.625{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06A0BC106313FAFF31BCB5BCCB173CF,SHA256=CA613920B383270AB33AFB73CB44FC329D974479DE141062397E9CF5471F75C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262325Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:29.525{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D3F07F07C7EFD059F40F391E6DC6E4,SHA256=B4710F5316130A9FE487E6FEE8D9BD2B544027EAA4D892E637243FA0100D90C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262326Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:30.540{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9FB0CFB162DAA0196505DDD96DC446,SHA256=0C789CC56A1B2F5503426A8CA749F2D33F400AC3353801440EB6B330905D1C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:30.640{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE9FBE14CEA30C4210183C7DCD5C92C,SHA256=0566103D096529BAF0BCA9F9DA32A1F8BE25F74EC636AB28E4F536E552399157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262328Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:31.541{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AD7090AC2348DC239C47F392D59F1C,SHA256=891F088E0635F38C40A24AE0CAD80106F2C37B4FC3667D4995F3D24D48883E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:31.640{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41481CC849937AA4171AD8CBFE7DF535,SHA256=1AD8577B6C52078C2F4B6504397D481F16C388D7ECA57E940E5E5C0BBB6F8180,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262327Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:28.657{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:32.656{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3917EDE5735637F756D6D61C06F970D5,SHA256=FF3B822E1E506D818A0BEE35BDBA40A3C1A58BF769483A62278DF05B8FB72337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262329Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:32.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B1A069EF43413048BA09BD6E27AEEC,SHA256=9C0E12378C88CB12AA41C7AB364B82C7A7871910B8BC6839002C00D4FBF06C94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:29.564{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64227-false10.0.1.12-8000- 23542300x8000000000000000300465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:33.672{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D1B3C9B6B2EFE07F415FB15D2E2A58E,SHA256=20EF57FF15E2FF7193349DDC69BBBE3979A21FE93A0F6C277D9FDCE88D823E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262330Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:33.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F4B1A9248AE51DD20C36356B2C5142,SHA256=31639CEC9D83D6B6D7228CF23C922ED7949D63E7832B89B208AE01C07342400E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262331Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:34.571{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC69D3701298550918941236684CB65,SHA256=F99ED0D0B4E1FB13EE95C104B2954B0BD1EBD038512CC295F891CB53D2375DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:34.687{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878A347F3C7821AAF294B4D345825540,SHA256=96DD6BD6FE6CFFB3FE9E70DD710355250D0643BF27F073094D5DB518A36ACEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262332Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:35.587{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAB4268039B653F70250C833427288C,SHA256=E350AE53F0363E417AEBDA169ED73A08EE5969EB543D46E1AA7FE67BC53DCDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:35.781{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=03784A6CF877374FA3D661A47245A345,SHA256=17B494DBCEDB199B37106D8E2C7D3D205AF0EFEAF209D3E97D8A3CB900E87B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:35.766{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-4839-6148-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000300467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:35.734{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C458F61A04B72A73FCD63CD1507A48E4,SHA256=6384A1A7EC647CA85428AC498D925C68F95ADB36B785B7124FBE50AC7553CF87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:36.781{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87DF766E31548F904E95CAB9A4F7289B,SHA256=EA1A61628B0009ACE2B1D126CE1B150DDB393DE44A00D42E3981221278ADA03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:36.781{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EDDF8E2D7680E6EEB79B1575E94AD45,SHA256=F778CB6C995679CFF0627652B79745527063A744DD7526CFB28058A85A7426DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:36.750{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB3EBABE8B65359E36FB329E9A4A190,SHA256=1C15053F0284C62196C63353752DF21DA50152B45F6AAD6F43F6E48ACD69100E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262334Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:36.603{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95941E3A9AE2BAC852FC276BE003D299,SHA256=3625C1825E5FF452DC09631926A64AAEE90647D3BC3425BA47697DFFD86B3B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262333Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:36.446{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:36.578{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:37.765{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8B016DD8919184AD0B0D7579565FB2,SHA256=973447C49918C229D829EC45DDE28025D7D782E8660E86EC0462EC8CAC6AD77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262336Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:37.618{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B22A98B86DC35A02DC76372F8EE9FE,SHA256=245D3454DC6CD91EFFCF3FA675F2EADFC8357E70C7F4210312BA308B78F9263C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:35.083{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64230-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000300478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:35.083{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64230-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000300477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:34.979{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-966.attackrange.local64229-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000300476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:34.979{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64229-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000300475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:34.973{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64228-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000300474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:34.973{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64228-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000262335Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:34.657{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50972-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262338Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:38.634{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56DE554AF68B1AFBE3BD9E32C83C584,SHA256=2DF0981A8BE16EF587D8F0BCD01C772657315990EE62C1B28FBD276438833202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:38.781{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B12C40AD6201083531C79895E8833D,SHA256=1728F2CB48BF8E44096723FE9922302B6376B774B96CE837B6FD6B5200649BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:35.876{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64232-false10.0.1.12-8089- 354300x8000000000000000300481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:35.423{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64231-false10.0.1.12-8000- 354300x8000000000000000262337Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:35.908{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000262339Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:39.634{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE53754D326B88AF3532DCFEA4E6D11A,SHA256=8125BBFC4C6D01C7AC1DA5D548A703C52756E534D5DF22ED43A03922624CBA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:39.797{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1F6663F2C74F7D4C9ADB0EAB6BEA34,SHA256=4BAD3C9C31E9A2E278F7B596DE81D76C77100B861FF6F20DEF026F8C67D3BF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:40.812{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A62CFABFED2AA40E7EEB0B88046AC8F,SHA256=08D2061D07FF1FA97585D4B3C19F7F5432912BA80FD502202277B66280F014C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262340Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:40.649{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13DAE3BF95289FBAA92CBD7EC9DC03A,SHA256=157587B48F876D4FF1D84B1F413E5BAE800C99A0074D3C2C34E8F0A6B6A3E9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:41.828{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5800495AECC41963CD2A7030B3EA8E16,SHA256=A5C0F8B5D65BFA1F6065C7B7582DDB3F84664B75B9790C5201420FC8BFC791E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262341Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:41.665{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916AC3D9E0B81A61A87CC63169A697B4,SHA256=408D26F4904C7FEB19CC4A2CBE3732F9F02B2654F922D2E8198E44D4D6B8E5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262343Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:42.665{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58DFE64FDAA71C6D62BF7AF923DF7DE,SHA256=9A8B237202CAE7CACFCCD0DE252F567E65A28493A145D79A7C6B5734F9B074E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:42.844{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44BC9A9E3EAF8005CF306EC278468E6,SHA256=DF911E1341EF36282F10CCB8A233D0B62C7570D251497BB4A725C9EF4D2D77C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262342Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:40.596{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262344Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:43.673{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EFAD1EC60E8218DE9734BA9241DEB4,SHA256=185F8FFD2E6FE5F4B1718B5A8FB122961BEF158285C750E7B5306C04DBC26C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:43.867{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE37A3B5D6817E9A499F9B715D1B3533,SHA256=38DC90686269FD03C39989852B0BAD0F450F6CBA655DB4DACCAD93A1F6531A60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:41.408{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64233-false10.0.1.12-8000- 23542300x8000000000000000300490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:44.883{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88B2E44878599CF4FBAEAEA70798EBD,SHA256=0346F799CE3ADB0EF0A4226A87142EDC2CA44647D5863B70D41DFB244898C0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262345Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:44.689{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4DBB912F06CB7DCF47300D157878E6,SHA256=99F337DB85FE161395CB1B9E42B67D911CC6B3B17C8D9DE415D4108CF4B8F68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:45.899{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A899C12B4C9509B4F439528ADEEEE0C7,SHA256=5665C2BCF5A0D14D5544C934F4E30A12EBA163B4182E7DFBF2B9E1480D556524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262346Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:45.689{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BFFB581E75F22AD3CDE4DF8DE90DC02,SHA256=6D470780F4D141E400BDDB05D3A45D58A58784DEB21E0518D828905C707BBEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:46.914{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71039DF276ED4DD92EA7F1231F088116,SHA256=3C87A75BAD8B78456FBBF0A6B662453E1B970295623625DA6596B4104A7C101E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262347Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:46.704{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872C494137BC03700E67AF6FAB985D51,SHA256=8E5BC7E4D1741F5BA18A72589CA9BC37CCFEB324B0D6D3BD1F56AD36CBB3AD5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262348Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:47.720{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424F5DE186B83C00AA8859FF2AE15B8C,SHA256=C7A2058F73BFA3AFE735A2112AB551E491303FCF6F21B4CA1636D2BC6BE60835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:47.930{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61F5D55590AE7355749A8FC80FEF4C5,SHA256=5EDB9A9B0B3F33078BDA200812C26480664007BCB937FC84CC3E35B021D7AB3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:48.946{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9557717249854C9B4071F095212D66,SHA256=1FC17AE116558708BA1FD1C81700AA221A52FC5955010622ED84F3AD4270F438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262350Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:48.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676D369A6757A181717EAE13E44755B2,SHA256=9B66B50DCA374549636BEA0AB5ECDF0A079167B6ABAF75C34EC298346591BE52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262349Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:46.572{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50975-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:49.947{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA98BB26327249FA0BC12CC392092170,SHA256=28BBC54D63712627A0C2C900AD14522247CE8FF692DD2110E295B83D01B34D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262351Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:49.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95240A0CAB779506A0F4A00792DF912B,SHA256=42CE1020A1194D8E15706A6BF545AC2BCBDB4BE0939AF1D19F867D5C662CA5AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:46.541{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64234-false10.0.1.12-8000- 23542300x8000000000000000300498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:50.962{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAEF26891B0EB483E5A815B860CB026C,SHA256=CD191E5DA2C328F4FE149C7D9ECAA26D4446F0B9D3A536F70223DDB5D0B9755B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262352Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:50.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C08F124844556A0738AFFC7F80D953,SHA256=43D4B9730AB4B78AC00EA1E3F49483FDE4D4EACE415FD0676CD2754E0714708D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:50.074{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1380MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262353Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:51.751{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F3BD4EB062F1FA4564D397A48A0579,SHA256=8BF2B494C6BCC3F60AD2A98B0B86C33C233E0E78B84322EF97F985A0C50FA900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:51.964{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A621565075D6E5351A47565D27AB106E,SHA256=26BBC42A88BBE62E2B8C27F2957FF2F71A4E421185B5435C2994BB80CE97A64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:51.088{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1381MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:52.979{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C63F21C147943CD38E4F397394C580D,SHA256=123A85F2011DD5B475F15EE0C9C7276C0FCCAFC96FBBCAFEE971C26264D8514E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262354Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:52.767{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73F8AC706953F19000D696CCE513DDA,SHA256=C15595547116E691A355AFDF234F63BAB4D2DCEA4D82445DFDE63DFE7F65E860,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:52.464{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9440-6149-F72B-00000000FB01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:52.464{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:52.464{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:52.464{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:52.464{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:52.464{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9440-6149-F72B-00000000FB01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:52.464{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9440-6149-F72B-00000000FB01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:52.465{5097E253-9440-6149-F72B-00000000FB01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262355Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:53.782{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E558E8D8C868D714991BC9B9D6CD2A8A,SHA256=D4549A7C4FA9EC8E9012304C1CA251BE57FC5EBF4B3ADBD6DA63291D9FF89DE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.901{5097E253-9441-6149-F92B-00000000FB01}75803744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.761{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9441-6149-F92B-00000000FB01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.761{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.761{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.761{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.761{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.761{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9441-6149-F92B-00000000FB01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.761{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9441-6149-F92B-00000000FB01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.761{5097E253-9441-6149-F92B-00000000FB01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.089{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9441-6149-F82B-00000000FB01}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.089{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.089{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.089{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.089{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.089{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9441-6149-F82B-00000000FB01}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.089{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9441-6149-F82B-00000000FB01}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:53.090{5097E253-9441-6149-F82B-00000000FB01}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262357Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:54.783{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11246B8194AEAFA649252EB43A6649D9,SHA256=3581D6A5CAA7FAD744DAC310E0E90E1D83D136DCF197916E64A1746289539804,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:54.573{5097E253-9442-6149-FA2B-00000000FB01}71364924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000300536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:52.512{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64235-false10.0.1.12-8000- 10341000x8000000000000000300535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:54.433{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9442-6149-FA2B-00000000FB01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:54.433{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:54.433{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:54.433{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:54.433{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:54.433{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9442-6149-FA2B-00000000FB01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:54.433{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9442-6149-FA2B-00000000FB01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:54.433{5097E253-9442-6149-FA2B-00000000FB01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:54.058{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5FAB76269CF6D6E75F59EC8A065659,SHA256=105138F61329C1DFAFAB6EEDD8F5BA96003035E4877987CA19766032DFF30FFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262356Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:52.603{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000262368Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:13:55.876{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000262367Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:13:55.876{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05092f7e) 13241300x8000000000000000262366Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:13:55.876{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb8-0x3c9cc915) 13241300x8000000000000000262365Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:13:55.876{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec0-0x9e613115) 13241300x8000000000000000262364Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:13:55.876{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec9-0x00259915) 13241300x8000000000000000262363Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:13:55.876{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000262362Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:13:55.876{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05092f7e) 13241300x8000000000000000262361Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:13:55.876{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb8-0x3c9cc915) 13241300x8000000000000000262360Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:13:55.876{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec0-0x9e613115) 13241300x8000000000000000262359Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:13:55.876{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec9-0x00259915) 23542300x8000000000000000262358Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:55.798{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D5D201C55A7B87002766FDD6DD8DD0,SHA256=6759B357172FEFC0CB55CE1F9E5EB372C10B55160B4D1DC42B4609143B08BB3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.917{5097E253-9443-6149-FC2B-00000000FB01}70604676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.776{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9443-6149-FC2B-00000000FB01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.776{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.776{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.776{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.776{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.776{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9443-6149-FC2B-00000000FB01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.776{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9443-6149-FC2B-00000000FB01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.777{5097E253-9443-6149-FC2B-00000000FB01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.245{5097E253-9443-6149-FB2B-00000000FB01}77327156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.104{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9443-6149-FB2B-00000000FB01}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.104{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.104{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.104{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.104{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.104{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9443-6149-FB2B-00000000FB01}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.104{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9443-6149-FB2B-00000000FB01}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.105{5097E253-9443-6149-FB2B-00000000FB01}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.058{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFF394AA2952F5C66F41002E67474D3,SHA256=BD10A3FFA7E6DF4991460DA5E28E590F098447960088CDE52BC2572C31EA7C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262369Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:56.862{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB70B222DC8341577BD8B6B11019DC5C,SHA256=BD434BC1CDCC8888E9B65495A6A16AC6F43AD014BDB9C679E9F595E7B04306B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:56.089{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C520B523292E40F107709061B98C4B6,SHA256=F3B88ED1D119FF77871349CCB6B89EDC472439585EAE5E0549D07966A0DFB1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262371Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:57.888{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67846580737DB041B8358BE52CC069FE,SHA256=593081C0C09CABCD8C4D5F481C8EEF33CEE20D67F49AAEA49C1B6AFE13EFD87D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262370Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:57.255{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1372MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:57.104{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D8A068A99DD483B5DEACC55F5E9E9C,SHA256=E5CB0A28CE6073B8EEE42FC5BC5084782A2451C84BC8AFAD596602197CF47201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262373Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:58.935{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4028CBD31ED6645E6112BBD42301C3,SHA256=A78CBA6935E2A946F87C75C5980A96D3A27E5D0FA563ED47426949A480493A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262372Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:58.264{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1373MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.919{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64236-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000300560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:55.919{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64236-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000300559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:58.104{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3C78851B0AE41E5178C38AEACC53DD,SHA256=795B7855AD2D235FC186A768AEC3B4994A7785E20097D6E3CFAD29AB44745147,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:59.870{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9447-6149-FD2B-00000000FB01}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:59.870{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:59.870{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:59.870{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:59.870{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:59.870{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9447-6149-FD2B-00000000FB01}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:59.870{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9447-6149-FD2B-00000000FB01}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:59.871{5097E253-9447-6149-FD2B-00000000FB01}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:59.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE6D9BDDF26EB5F3D5FE8B7861F5E0B,SHA256=42BF11F1800E9ACF2EA1DA40319BAC12794EFB6B214DE36DB7C18B63ED349288,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262375Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:13:58.536{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262374Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:00.013{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B9707F121ED5E5720618C077EA0787,SHA256=8A29EA14F287ADB0193C29D1213C8240FE466F5BA844ED5A275B9429C4443BFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:13:58.481{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64237-false10.0.1.12-8000- 23542300x8000000000000000300571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:00.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E67908D9B521CB719ADCA7A22470FC,SHA256=0682042A27EF25E2FD321B55A91628543DF255400B4991E46C3269EAD44A535F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262376Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:01.028{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB52182F210FA857DD35954F877C8C6,SHA256=3A519993577E90682BB62F100BB1CDFCDDF7563873744CA47325F19C05B56541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:01.151{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27791D20D326F079FFA7BD05ED06A386,SHA256=CBC00F27CE43BA5FB7589495B7F2986C36080CDCE129A863A3B0E12F246921D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262377Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:02.044{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8B71D36BC5C4DB680A884F6B6ABC2D,SHA256=501461F7B8958C886B526E9F9B9E80CC8034D5CCBDAE5A0AA93721391CF77E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:02.167{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5D601DAC4FB5485D8B038952437C0F,SHA256=4FA5914BDB14021A1630D3E8FB3AE2EC06DA801F9E97590382A42DBF814CBAF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:03.183{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1B2215F6227B5DBA79EBB4FFDC9928,SHA256=B8742B240E863CB5CEDC1803F22B0A37AD06D24DD517F371AB300E35BE814047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262379Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:03.278{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DF7AF9BB43C1AD06B9D9C033FD7583CD,SHA256=0CECCA82604C0CB1EDFE981CD548612A5885FB2BFC9FF37B0034BAEF8769C561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262378Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:03.060{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F1C87DD4198CA8CB8869EB1AA2FAD4,SHA256=0015E05BF2011AF673F8392F4EA8BEB8D0817DA4A946ABBA91653A75ACA6AF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262380Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:04.062{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323CA88A7AE78A15CCA1F71F02F016E4,SHA256=3767AA9FECB0D09D4CE852A3025C55F6613CAB4982EA22A23F6E2BB755CD8C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:04.209{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C214429FFE782C4E7697EAA7378FD9C7,SHA256=17DF44AA3A7CDC45965FCBB6CDB6269C5EADDDF8684DDCB3E0188FA63FBD34FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262381Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:05.124{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E94D490A17EC5883FCCEA917111974,SHA256=73DCE0091AAA6E9660DABC20C440F5246E1364D313E2EF031FA5EA3EC3F17C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:05.225{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5097834619ACA150796416F32E7EA512,SHA256=12D60DD6EB2174E2218263EE15BA19081358830848BF838FA35B5FDF29B22839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262383Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:06.155{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D6BA03EDDCB19A617D7C5B95AD9530,SHA256=B7F2DB86CE510FB054316D6A9A2AA9622667FE758B7E48D9AD5208C02D7BA3B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:04.398{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64238-false10.0.1.12-8000- 23542300x8000000000000000300578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:06.225{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CD95FAD2CB4D086B16CB001EF4160A,SHA256=D78AD3FEC86099AAB058155FEE2A7DAE0B5FA3ADFF4DD5818094F918767B73B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262382Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:03.710{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262384Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:07.155{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9820C0781EBB7F16DA0B98453BBC5A5B,SHA256=424F7CFF43F523F0A1C60DA2D899887DBB1899DC361909BD3DB503DABEC19E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:07.240{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748B0D98F2A812006CB58EB073E4EF3D,SHA256=2505F09C1FA12AFAEAA85CEEAF69EC6EDE99688673F92F935175B0D244C3DE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262385Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:08.171{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2144487A95D817938986A0A22739D160,SHA256=F4B63CCF4155FDABD5B499EA0DA3A2D4992735FA57F60DAAE903D1C73CA17CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:08.240{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231577ACF0701EA64DCE4C483940CD08,SHA256=214F577229A2E4D23F6B3B4A9C61DA0C9CE276723613D0BC32553B3CB4AF2681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262386Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:09.187{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4F2F600FD5F68CDE34D63FD9F5B8E0,SHA256=DC6E3097749E0E41A796C2D73E4165640D7755F7ECFEB66BEE174F71B302EA37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:07.438{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-53616-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000300582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:09.256{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EC886347A41853769ECD3416DA8A02,SHA256=F65815431AFE6C398FA5D95C7C1D25077CE1A166FF6A1C10EA434F547528AD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262387Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:10.187{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D68F36283CE2622F46E0D86EE4875D,SHA256=90078A2C15A9D53E625A304A789CDD1C4F2C9CD1B14EA581783D761094011D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:10.256{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A816E4CD19F18E362ACD99F9792ACEC,SHA256=DF394C0A90684A0580FBCD0D6B3AFAD2925FC5C5CCF007EE8FD1E97647053E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262388Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:11.202{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C2FCA123B84F06DD4361DFEC2F9790,SHA256=2EB671E052D07CE6A78D562CFBCEDF0E7145C4BE1E3238DB4E4802DC5BF175CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:11.272{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E54CBED27138E52BC7817ECA624072,SHA256=89772D78593CDEC87A7FF157DAC639964A8669036450B2B8D833374188C3D2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:12.303{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A391D2F6A7ADB0906C21084F6A5C5A60,SHA256=3D268B6011B9870A4773176C47D53A6DB7177F0468A768B5873C639FB7DDEC29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262390Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:12.233{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B30148D767BE966AA7E3A4D6A62D87,SHA256=17E56FB1AC78193BB98882049DA397A4C82F09FABCF65916168ABDEE9E84FF32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262389Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:09.647{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262391Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:13.249{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475BFFFA92BDD1CE8252CFEB7CB5BFA7,SHA256=0DA8F983E7EF9F0CFEE177194C5B4A1BE729DDB00E910DFD45AD08DB0A786544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:13.334{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AE7A8346A145C60818B936F9F182F1,SHA256=CB5F523D8329B35834436F97FD5FC903979C4C1DA8C2AB30F32CD5C1A8CBAF3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:10.367{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64239-false10.0.1.12-8000- 23542300x8000000000000000262392Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:14.358{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD5CA9D379D59E654D227CFFFA3BB89,SHA256=6E7022B5C3AF603F70248F149A8C3EEC462744BF9DE0BA9EE4A8133C8146BCDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:14.381{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B564B4773080A5A2014AD309C4CFA0A,SHA256=9559FB1B25E413EDD02CC0C79251AC493CFC0F63FB32D0F82659007B8889E75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262393Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:15.374{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A63167A58EF3D4DFAE5F517AFF937F,SHA256=33178AA321D35B46532120E8D65B828CB74A42921468735AAE02901846971980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:15.397{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B08C1EC108A9E4D2258D72E63B53A7F,SHA256=1855103BA9DA842CD62363DD19DA7EE6371C6DC56C00821AEC7DD7AF72EFE485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262394Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:16.390{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132A6F35FC4E6F8BCBD1C84A462D503F,SHA256=4108215D1E6152789870D536E72BFC8011084F00A46D9BD5AB46C7BB410BA0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:16.412{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D15C9082FF5BBEAF47658D036E99F3,SHA256=C63FD9FAFDE38F8513488B79B8D115FBC90737C5563F71C0AA04290A42F9476A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262395Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:17.421{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D85AC67F561159FF725B1779B4E1E12,SHA256=182726EDF5339DCB6CD1080639C75FCCDBF2618FFBAB4CC956CC25F84BD64D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:17.428{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5412CEB2DFA140DDECE06B63E7131573,SHA256=8F179B0F3ECDFC5482C59945DBBE1FEF45392E9E5EFAAAAD337A3771555FDFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262397Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:18.452{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01755F37C5B8624D9EC04408512549E9,SHA256=39BA43AD99E576C85EAE27FC5A58E4938A68E88C13A3DC13549DF7DE6D6213C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:18.428{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E04C90581F953FF66C9CBC573787E6,SHA256=186D1E676C695BBC16CE6766C9485D2279A704ABCD2DF011B4CCE9F9AF99A280,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262396Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:15.585{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000300593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:15.554{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64240-false10.0.1.12-8000- 23542300x8000000000000000262398Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:19.499{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13518BFDDAAEC823053DE4DF55428E95,SHA256=B515B5F24DB7B722E0F8525C73EE4C10748DF79BC40CDB57F54031EF9977A729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:19.459{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0737A0BCAA3A0A6C6A8BAD3C28F0346D,SHA256=3A40901F387B3751D3176C09B5DEF7DCE27106176A12AB1FBB84BEC2492DEE78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262413Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.874{C189DCE5-945C-6149-7227-00000000FC01}2412744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262412Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-945C-6149-7227-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262411Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262410Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262409Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262408Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262407Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262406Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262405Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262404Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262403Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262402Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-945C-6149-7227-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262401Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.733{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-945C-6149-7227-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262400Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.734{C189DCE5-945C-6149-7227-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262399Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:20.530{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42FA9FDF84090B35A74AF9BC23C40AA,SHA256=04FBE177FFBFC7D88B057907483DDDE01BAC603C757DBEFF2366C6AD0357BD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:20.490{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B904594908287AA869A5467BDFA65E75,SHA256=5A96DD4F9EC23A127B9110E6A94C35C4ECE19B9A205057D33FD158EB343D1116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262443Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-945D-6149-7427-00000000FC01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262442Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262441Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262440Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262439Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262438Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262437Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262436Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262435Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262434Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262433Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-945D-6149-7427-00000000FC01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262432Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-945D-6149-7427-00000000FC01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262431Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.940{C189DCE5-945D-6149-7427-00000000FC01}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262430Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33E8FAB04FAB891162D5EDDBAC0D71E6,SHA256=BDBB76F137A3909AF77314514925A56B6AE752613E68D95373E4CFC8D6FFA97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262429Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFC9BE108874D44D2A0CDAA1AB0DB45,SHA256=A384A724F6C1E8D455A2D3E1881ECF8C3ECEDE92503146A212366F1AF441D34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262428Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.937{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99CDB66186321C4FD0C57252A02BA56D,SHA256=01D2E585B74CECB117ED71C91986B30C867BE9B0B0EAD6424183A216B93D834F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262427Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.608{C189DCE5-945D-6149-7327-00000000FC01}11283104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:21.506{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFF4A8BF08E927F990DFDE94E69E787,SHA256=5912799E9DB06DB0C9E940B1A96C54A0D40DAD09A62BC19BC0D544B0830A579A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262426Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-945D-6149-7327-00000000FC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262425Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262424Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262423Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262422Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262421Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262420Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262419Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262418Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262417Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262416Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-945D-6149-7327-00000000FC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262415Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.405{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-945D-6149-7327-00000000FC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262414Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.406{C189DCE5-945D-6149-7327-00000000FC01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:22.506{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B0DC0D28D4435F4F75735A1447C671,SHA256=B841A997DABBAB1877FDB63C6365E4D608A7BD764722FFAA5E18C720BF362D75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262456Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-945E-6149-7527-00000000FC01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262455Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262454Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262453Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262452Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262451Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262450Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262449Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262448Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262447Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262446Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-945E-6149-7527-00000000FC01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262445Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.608{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-945E-6149-7527-00000000FC01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262444Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:22.609{C189DCE5-945E-6149-7527-00000000FC01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:23.536{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6673676E7AA5C82AAFE763A81942F33,SHA256=E356A45AD9FF9CB75F83EC962253B0A1B5895E7A87CB77DAB4C3EE4286C9E75E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262459Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:21.554{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262458Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:23.077{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0A041E42C03A906576A306780B49E3,SHA256=12E2032F2C8D362C0EBFED05E0DE2EF416B1AEA9A23EF033EA9814008D4CEC95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262457Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:23.077{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33E8FAB04FAB891162D5EDDBAC0D71E6,SHA256=BDBB76F137A3909AF77314514925A56B6AE752613E68D95373E4CFC8D6FFA97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:24.551{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9ACB59D9BB056BCA2FF4B1E6C91846,SHA256=D793A6D32AD16B6A62682C4B26AC83943DDF28CCBB55AC333D6613A52C577E5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262474Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.638{C189DCE5-9460-6149-7627-00000000FC01}25163480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262473Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9460-6149-7627-00000000FC01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262472Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262471Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262470Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262469Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262468Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262467Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262466Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262465Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262464Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262463Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9460-6149-7627-00000000FC01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262462Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9460-6149-7627-00000000FC01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262461Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.451{C189DCE5-9460-6149-7627-00000000FC01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262460Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:24.107{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760C1556EF656846AF9D3F841AF0AEA1,SHA256=309EB869B5F8B521B3034FE0B0F78508B9AF4C24C61F80C737DDFF329C62D0A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:21.320{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64241-false10.0.1.12-8000- 23542300x8000000000000000300602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:25.567{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA227C8B9C085DF04E90D90692750783,SHA256=0D7FAB911A9C9503C6EBF238227967FE0CDF91B3C7E5F1387B67250A34B8A158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262490Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.544{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E6277A9AEEA957CE982EA8B7E4DF638,SHA256=210BC86909EC9E5B65CD84E3F59D67243610BFFF599B1334D0F2391BEC507836,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262489Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.310{C189DCE5-9461-6149-7727-00000000FC01}39683896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262488Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9461-6149-7727-00000000FC01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262487Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262486Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262485Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262484Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262483Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262482Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262481Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262480Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262479Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262478Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9461-6149-7727-00000000FC01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262477Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.122{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9461-6149-7727-00000000FC01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262476Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.123{C189DCE5-9461-6149-7727-00000000FC01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262475Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.107{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5077C3947DC27898AED764011BDFD434,SHA256=AF586981DFF4287475AB2DEBB97DDDFCC89ADE92A9C2B1F57B139CE393FAAF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:26.598{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809F71A434E52AEBFD3CD37E2450772D,SHA256=BAC4145F051E7A9505643EC318867134A61034176021BF4E8CFB24E88D0E99F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262504Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9462-6149-7827-00000000FC01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262503Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262502Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262501Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262500Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262499Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262498Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262497Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262496Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262495Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262494Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9462-6149-7827-00000000FC01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262493Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9462-6149-7827-00000000FC01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262492Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.373{C189DCE5-9462-6149-7827-00000000FC01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262491Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:26.154{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A140C45BEFB31AD8119CD23E5F93D21,SHA256=C51F8C338E72DCAC3A05098EDE4D73241420A4DDD46BFBC7947887ECC4F31411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:27.645{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0487C6F0283C992291C768F6ABDD6419,SHA256=D7ADE06C4EFF30E3B77D3C3323CB5800FC354A1CADCB48A7C21B87758B8D8E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262507Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:27.544{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CD06EA2DECBEBA0B1FD1AD75CDDF66D,SHA256=EC9B2B46207C006EBA33656DF7AEAC9481220FEB1C0C0952DB904336CC359D76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262506Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:25.563{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com17702-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000262505Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:27.154{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAC10AD95E18D2E9423062766FED267,SHA256=7CCCB735B4D8021768C323017B500CC740F5990EB15B3F5AA47C28C76F0EF459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:28.676{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7FB413670EF051BBC033620F321C9742,SHA256=FB94A2D448CD65BB202FE8392D07B79C6719647B9BA18B2251F9EE45EE65C812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:28.645{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2DD6370947817339B3ACFE9E488E8C,SHA256=ED35EBB6440E772BC04FFC9FE77C982D39BE282BE7E1C1844043ADA4D5DD9332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262508Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:28.169{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC52916170E95000520D8F143B4A6B82,SHA256=9EC13A10099F4F31BC090EB1D3FDDA3995FF84BBDC5AEF48A561F7D311B47C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:29.647{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824745DE55FCF101FE25B64D985D1726,SHA256=B1FE1C5BFF0DA3D9678BF118EC85A0D9E897B8BBA36C5BA3CD49378118810E2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262510Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:27.568{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50982-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262509Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:29.216{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8546FEA05B63588587397245CAFD00D9,SHA256=3C9869FAA231B8387C849E65BB72C69B6674711D2AE659B6639DAD99FC1061CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:26.506{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64242-false10.0.1.12-8000- 23542300x8000000000000000300609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:30.692{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E403C506177295BADC761F37FFF631,SHA256=01E9E6758C9D7B277B6B90D23915BA32A33072EB29E9C002B00C7987CEECD42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262511Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:30.279{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11800E15C4A729346B9AEE522E2C2562,SHA256=2852A55F21D3E2981EED0160E380259DEF710DD0E01254829978E6C7DC959E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:31.708{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203D31B8C826F387813C73AEAB0D659E,SHA256=C1B558EA39FCC1A7054627EC8D2F447018968DD5D9D1492E02C408C466EAE5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262512Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:31.294{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A806A96D3DCF50A451152067338B573,SHA256=2688D2F5DA3BF9FF43CCC95786D3F2CEBF324E39720131460811A96117BB2CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:32.723{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A557CDFFEC5135AA1E35553643EBED,SHA256=FFE0FD5DAAE8C7123D242C754DE274608903C800B3641697EDAF48F020628B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262513Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:32.326{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C3969B18804BAED5D4F3592F45168C,SHA256=3C500FA5B21BEB614AFC6B1D97B0D7DE1229EC38AE25FD5AF1F6CC8F7B760EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:33.723{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205108CDE5C117FFFCD0B10F8825BEDF,SHA256=91D450583D6CD5C1C4B9F656FE0F6ABD5847AD5FF5051FF6B8A58E3CCEBDA63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262514Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:33.341{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DB176CAB806DF6C42AEBB07E86D98C,SHA256=9A1961BBAB363B3FC16B044A21A842BAE04D6E79D6D088E096E88B576D6BE182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:34.739{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43AA835B35561F34772097A57AEB35BA,SHA256=4612B353ABC9E78005AA743FB7E3DBB104B96EDBD859825DF700CC7AA48344DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262515Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:34.357{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032391B5CF72A2BD5588233E54CB9C13,SHA256=7F344AB715127442F7BD2BDC4C738EC5F3EB408DC94FDDC72387BEA67B3C7B06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:32.474{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64243-false10.0.1.12-8000- 23542300x8000000000000000300615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:35.770{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E903E2EC5CCC4C553A61B21BC69C0E,SHA256=ADED8F6BB3D3938C5E9B0DFD71328350464A586559E06FCB6DDB4F4379A014C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262517Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:35.404{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD853EAEA978B6BA884AC44FA57C22EB,SHA256=581B26EA820585E9FCC7830A7C8EB0E42E44380E568032A10D03B68185486479,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262516Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:32.708{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:36.786{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0330363A379E60E3148D03AA349A4E8C,SHA256=0F8BFCA7929D9FFE29925462332683473C2A0C65068A007E5A91E5CD64B97728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262519Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:36.466{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262518Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:36.435{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994175DAB705458753B2338E1A0712D7,SHA256=891D510ED98119B31B59D0B0EF8D5837CE129C2FE83ED0564DE23FD50D4DDBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:36.598{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:37.801{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B0923CB84FFA60C0AB370FDCE1FF76,SHA256=3B4AE659A1503F294B986781141664B4D82292CF9FFAE28F5C41CC5056F27C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262520Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:37.451{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA14EA4397039647F0808D21B883B2F,SHA256=830EBDBD7FE0DB25F081CC6AD8C3E411E22562BF725B38BD5D72071D7750E795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:38.848{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89A7F85A47CF74FCCE9DE63A76A43A2,SHA256=6B3C9510BB3346362F3BD655A6E2CE966FB65DC4BA93638ADF3875BB566EC2A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262522Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:38.482{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA7B9403780D6DFFDF9D65917DDCB39,SHA256=C03C3EB3CB492F5EF50AE4DF3FCA605099A5CA0A5DF32E08E949EB7B7AAF5705,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262521Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:35.927{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000300621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:39.864{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CDEA8BDC9055F6C5924CB6A755A564,SHA256=7A0942576E0D048EC7BA318DBAF209FB137CA4BDAF81834599E6FD9625DF74BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262523Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:39.529{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365176A0AA6F5280392BF58E4F251B3D,SHA256=CD396DB3AF78183556C5C38A0624E63BED87CDDBD51FEE79D0F01138E366D689,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:35.897{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64244-false10.0.1.12-8089- 23542300x8000000000000000300623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:40.880{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F78960C64B87B032CA4994FA14EA15,SHA256=BA805967B35D32AC7236AC367D45CE94D1863C12D730CD3A16F83D9848FAD86F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262525Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:38.489{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262524Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:40.544{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC87282367D2DB952A3FED827A58875,SHA256=36AA86D89080C54542627172C641572D4BB7B9335B0747BA0BE0F14DAC4E8A1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:38.427{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64245-false10.0.1.12-8000- 23542300x8000000000000000300624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:41.911{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6D54F9E64234CA5598CB0D4BE612F6,SHA256=5FEF0BBBF8C854EC250DB6813AE24736F96D1AD9A7991FB7FF161CE49EC912D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262526Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:41.591{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DA98E3457F5650912F466C84B7A71D,SHA256=518BAB03C9783E5F324A7D9EE860EF0019D3767A35FDF529BA0E2C0514880BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:42.911{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADD6DC42E0425787B3689F9D17780CE,SHA256=A8A14E8A6F1DDDF42DFE18F948EC11593EF17FE0D24D9D1183AFD9860B85A4F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262527Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:42.638{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67C7C42993E691D36D125421BBE60F6,SHA256=00AA0E71EC58C191699420778529136C6983D3C17AB0D9579B0083052A641936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:43.925{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4E2B95B3F7600C0C51D299825F0DA4,SHA256=F6CF5FA02731F1F3217114170F0BFE6F18A50993AE765AE04D5FE56083DD87F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262528Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:43.669{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB921329D1B0D29D8E6F8C27FA7ECD8,SHA256=57594B4F811C27067C126DB702BFE4DCA0A9BE1D764AD00957C923FC69876EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:44.941{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FFBFCB6027FAE14685DDFF12F4A4E8,SHA256=949D00084737DE76F303DBD57D6989C9BA2EEB2B6CE8084C4F40E8A1804F7795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262529Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:44.684{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7ABCCA426D9D6C4898CDC12D72FFB6,SHA256=EB525FB4E6623A184B553CE8C43DA4E2C92A5A1893BB2B568C874451BBFE07A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:45.957{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E358684F85EC30E80E00632BEFB9EF,SHA256=B3319B303A42F3DAA3C5CA4DB5EE68900069971F5C55C04298E3470092B123D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262531Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:43.723{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262530Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:45.731{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2596C1B8B572BAC334150CD3154FA7FF,SHA256=180EA7DFE94C3B48E3E42B806BB03804A0E165FB275AA22C96A8628268D4045A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:43.552{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64246-false10.0.1.12-8000- 23542300x8000000000000000300630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:46.972{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22478BD81E15ACA58B709D91BBC58E14,SHA256=BE0F66F75B20C9687D90A10290AD929CE7AEAD1645E07DB268F497B02E44911D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262532Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:46.747{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD07D64EDD7FD2E105E94006E34D13B2,SHA256=36C1D8FF0C2A743687F238F3FD2F509930A176F9CC0E00EC6964BF367E87C15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262533Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:47.762{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22515940DFB4807647A44CB74B03117,SHA256=E0F7411E94C261DCB46619821F29D6FE0556F41751BFB609E54FA656F1B76AB7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000300640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:14:47.254{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000300639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:14:47.254{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0511d339) 13241300x8000000000000000300638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:14:47.254{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb8-0x5bbd1d11) 13241300x8000000000000000300637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:14:47.254{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec0-0xbd818511) 13241300x8000000000000000300636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:14:47.254{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec9-0x1f45ed11) 13241300x8000000000000000300635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:14:47.254{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000300634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:14:47.254{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0511d339) 13241300x8000000000000000300633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:14:47.254{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb8-0x5bbd1d11) 13241300x8000000000000000300632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:14:47.254{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec0-0xbd818511) 13241300x8000000000000000300631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:14:47.254{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec9-0x1f45ed11) 23542300x8000000000000000262534Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:48.809{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6835E1A6EA7A38D9AB0215956C82D2,SHA256=6FF4E8987CF4547810AB5B40C65378CF424A8BD975125FAA6A7B4821C9C005F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:48.004{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7467B53E96330F01AAE866C925D514,SHA256=A67298431FB0CC27317364FE308381066A00A2BEEF4DB57104A84C2FBA41921A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262535Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:49.903{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCE31F5BF89D20524904DC95753CDF7,SHA256=8B34BFF930AF4C50E5CF403EFC1C8F6D226DD293CFABE212D6006C86B72A744E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:49.004{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CECD4CF79279736FBEC41D483A2AA2B,SHA256=DF1178D34F0759F9552335BF8E7EE86A0B1CE8B91830067BA2133756A13F182D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262536Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:50.919{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F895548523FBFC96FAF08FA135B46C,SHA256=393808F1DDB8E9AFE1499F832E83B812018E7A116BD8392C3DD2F41716548B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:50.019{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CFD483986F76BB19325DE353F7ECA0,SHA256=EA14ACEF4D154D328DB8FE6AB43FDBD76E46939FE98130E6478C8423E277163E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:49.458{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64247-false10.0.1.12-8000- 23542300x8000000000000000300647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:51.616{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1381MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:51.177{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:51.177{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:51.035{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8096738A1C546B3D4C63D4E3D5AAB6C3,SHA256=41CD22DDD93213358F99D0539E67DB0293D1DD5656717C9A0D88F362497AB5BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262537Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:49.567{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000300659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.641{5097E253-947C-6149-FE2B-00000000FB01}43486660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.628{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1382MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.486{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-947C-6149-FE2B-00000000FB01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.486{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.486{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.486{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.486{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.486{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-947C-6149-FE2B-00000000FB01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.486{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-947C-6149-FE2B-00000000FB01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.487{5097E253-947C-6149-FE2B-00000000FB01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:52.049{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3647005C40206CF3A815C9D9ECB2E4,SHA256=2736A84C6296EA0BE63B9F76F80F3AAF8C2264264F05A7E2407C329862AF3E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262538Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:52.028{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FE6762A0746684CC3D4A78AA6D2CD8,SHA256=6E4ABFE865AB1902F12F67E694AB7ABD10B140FFE80CEC60DB5BD74319F43796,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.941{5097E253-947D-6149-002C-00000000FB01}56242432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.816{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-947D-6149-002C-00000000FB01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.816{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.816{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.816{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.816{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.816{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-947D-6149-002C-00000000FB01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.816{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-947D-6149-002C-00000000FB01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.817{5097E253-947D-6149-002C-00000000FB01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.144{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-947D-6149-FF2B-00000000FB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.144{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.144{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.144{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000262539Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:53.075{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65A48E3EC436518C097DA1551EE7BAC,SHA256=77E35D9D9649B0EF98425D4BEAD8D07ACBEB6AEF47EDC1ABDBE76E6D9B4EAAF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.144{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.144{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-947D-6149-FF2B-00000000FB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.144{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-947D-6149-FF2B-00000000FB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.143{5097E253-947D-6149-FF2B-00000000FB01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:53.063{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAC4F00B34B57C4116A691B40BFC0F2,SHA256=C343CDEE0A40E1D8D7D46FBF79B3E126020DA109CEEF843146E69D9A183DCA66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.629{5097E253-947E-6149-012C-00000000FB01}63563400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.519{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.488{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-947E-6149-012C-00000000FB01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.488{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.488{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.488{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.488{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.488{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-947E-6149-012C-00000000FB01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.488{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-947E-6149-012C-00000000FB01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.489{5097E253-947E-6149-012C-00000000FB01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:54.066{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFDA32635A89637EAE7CC6E81B7BF5C,SHA256=C52B4938F066F7879E77F6394065B11CCDDA28AEFA56336D983766CED63FD341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262540Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:54.137{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B0A8E59BF3A026FB7BCCFB85EA5642,SHA256=10605E17F624362E6F344E0890FF1B47E581E0782E50729B03A05B5664C39D7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.832{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-947F-6149-032C-00000000FB01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.832{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.832{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.832{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.832{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.832{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-947F-6149-032C-00000000FB01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.832{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-947F-6149-032C-00000000FB01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.833{5097E253-947F-6149-032C-00000000FB01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.301{5097E253-947F-6149-022C-00000000FB01}87912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.160{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-947F-6149-022C-00000000FB01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.160{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.160{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.160{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.160{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.160{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-947F-6149-022C-00000000FB01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.160{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-947F-6149-022C-00000000FB01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.161{5097E253-947F-6149-022C-00000000FB01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.082{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2866EDD26A987C87975D0665C4E6FD31,SHA256=9EAD99135B1AA706751264DF3E5A5FE62D7BF52E8DE3DDE88C42490AEE885BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262541Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:55.184{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82D182372ED39796FA6F3F326D5862F,SHA256=0D88075156503763C60BAFCB81847240873A7366A945DE6B2CBA1A66DACF0A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262542Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:56.200{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC57C94385304B72D5F22538B01764EA,SHA256=7D6A229E6673F53608DDB245654BECC8412A4EC5597B3DA2BE300D3E1DC31BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:56.097{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7C283877340116A85E95CD319174E4,SHA256=5F7F236E7B12DF2D770DE9295BD25558689600045D54C44835D90927587DA61B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262544Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:55.551{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262543Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:57.278{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AF676CE765B6CA848BC5E58A78D231,SHA256=31C576F731A2856227219A62F1BA85D19E2ADC2B57F3E7D6070E9EE95623C22A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.927{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64249-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000300710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.927{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64249-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000300709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:55.380{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64248-false10.0.1.12-8000- 23542300x8000000000000000300708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:57.144{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5402DDF4C8AA507C8A63A5938D5C6D17,SHA256=241BA04AD48FB3D80B2E6DF5DFB2BF8DA2FA8CF43D0AC2E46230E065627723F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:58.160{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79E865BA20CA0DFC7DB4CC56C041075,SHA256=915F36726C66F2241E813DE748F08A10BB4353F541C285AEFF2CEC1818665153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262546Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:58.784{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1373MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262545Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:58.298{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BAB2E99B7FEB8F5F95B73C98BC65AC,SHA256=10E0A57BFFD065F945747FD9EC6FB38D7831EB6AD679A6BE177535ED898CFC22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:59.879{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9483-6149-042C-00000000FB01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:59.879{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:59.879{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:59.879{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:59.879{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:59.879{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9483-6149-042C-00000000FB01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:59.879{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9483-6149-042C-00000000FB01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:59.879{5097E253-9483-6149-042C-00000000FB01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:14:59.176{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E85FCA2849C38999122FBBCCDB4826,SHA256=4BD6FE1CE1D085CCF9C732D7D789D821817C247049FC8509CB8AA481BC1E98E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262548Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:59.796{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1374MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262547Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:59.311{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CC281AC67FD3C830C57C9A9E3CBB95,SHA256=A4F24147972130491C80860525E9AB6A3EC6073753BAAB6B5F63D77F1FD18539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262549Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:00.315{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF17DA4E3DB2219B454E63A6634AFB0C,SHA256=4A085F3435EADF7C0AB10A18CC97379E5B9BB67C745C0D679726791D5C43C375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:00.176{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6D4F81CE01A559E2D14A45B4359514,SHA256=0700DC49A9329D7A839ED5510C7012E8DEB066027DB223BDCE32543BD999D18B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262552Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:01.315{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0A9A19B6C6E2A8E9631C364427CBAD,SHA256=1F64188C8019F9870F06E818E68511374EB8B31F5F67DC04CC29C774EB00D1E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:01.207{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A750038370DFEDEF72A8282DC8C424D4,SHA256=0F85F6F7F7200FA3DB22BA4DBFC10A6A727D28E6AA7C7B392312C1C4E1E675B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262551Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:59.621{C189DCE5-4A3C-6148-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-917.attackrange.local138netbios-dgm 354300x8000000000000000262550Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:14:59.621{C189DCE5-4A3C-6148-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-917.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 23542300x8000000000000000300724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:02.223{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABB8F0710D66F6DE46512288EFE4A1C,SHA256=44E804A9D852151CFF478856D9D6A7A2CFAA08E21FFF602D6BF4EF076B826A60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262554Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:00.697{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262553Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:02.330{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D25E152A419449BAE9713137EC19EB,SHA256=99282A70C12EFEEB405B82D4F2B12A90A1C013170E534D1D6594B50A1FFDC955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:03.238{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B111E0205CA1E48B661BF050154452,SHA256=BC52F15740CDF68B8C9C46A0E81ED8DEF3BDB0EDA0CA7CAAE4660E4E18A48CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262556Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:03.346{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7AA324011EA04F50D9979623269627,SHA256=D1131D25DD501B7B11F50B92F093B0EFA7D2106A58F08A0827C63547C7697AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262555Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:03.284{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CDDC7147BF6108696F73976F72F114C4,SHA256=6AD8EEB89826407908CF497D6B5F11A2D4EEC64D237C82531D91E40F385BA16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262557Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:04.353{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F5056E037B8565C8AE2144FE772DF5,SHA256=2170AB1BAD229592C921AF70671F817C408E76433655B6789D98C908C97D2758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:04.251{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EB25D93AA8D336280F83AC489415E6,SHA256=08CCCE17749C61612D8288E0E206D67B93157BD563092EF4E2EA1E7A0739A5FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:01.349{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64250-false10.0.1.12-8000- 23542300x8000000000000000262558Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:05.369{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B532557D6DDAB21DB3C55F7A2790EFD7,SHA256=6883AF114147815B6C0C93A9E4251CE0E4EBCA530F4B118222EC67EC6C157F8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:04.001{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-55001-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000300728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:05.267{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42F45476F48FCBCD93AF0FE15A4EA95,SHA256=A056AA55A4ADBC663F62C31A0E904066A1F75AD0EBC91034D23A63BBCA2495E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:06.282{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932A66FE5378DACE2ED307EADDAB3A47,SHA256=B7BBFAB3E133A7A18663BABBA90BB17346474B4D59943C4C60AF0D4EEF25220C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262559Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:06.416{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382727D8055D03657FE671F9DF1011CD,SHA256=018F0A01FEC9BD8BC7A61346AFACAC6963BC2E5E49E36710D7699FEE8B7150EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:07.298{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D3E5DF8F523B9FB7D720D5651A17A4,SHA256=4A4B5D9E4A35880C4B4135FBFDC704B1BBA8078C6D8306DA2AA70945218D45E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262560Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:07.431{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E07C08F250D9163DDA90D63263E316D,SHA256=40E7549692F09F6934E0DA4BE0F04367F5192C93D252C5A1A3F73B6EC58BED75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:08.329{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AAEB8A3EBF2729FC34B63F6BBA5265A,SHA256=372C8EA14BDDBAB93BC9A835B31E200F6B138539BDBEA185F127DEE080BE7C3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262562Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:06.579{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262561Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:08.447{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6D3CB77CDE63F9470FDBA71D46ECD5,SHA256=2575EAA991B644CCCF6F1C13E0EC4ADE7440473A3CECE538E3B17A9579C58E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262563Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:09.463{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8A036162E53E0DD0361175CFDC190A,SHA256=3F6A50E9E1C1CDC469B003E3D4EC8451FA65DAB7F05E3F5D62AD3742351AE512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:09.345{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E294C879A405ABAB7EE2B24491D85688,SHA256=7B3A57B96574045FF9B59C28681E0F7D4FE2A54C29C2386C99A06545EDADF6D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:06.424{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64251-false10.0.1.12-8000- 23542300x8000000000000000262564Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:10.494{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4501CDFC0553DC01C696070ABDD54E,SHA256=1494D38D9A2D6A23BFD29E51FF7737C1B73A48A3F30BE0881FABC54F08BC480B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:10.345{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5F8D2D1E5F6766A8AABA22A0C2757A,SHA256=5BC23D1E0714918D8A2DD57991D587D4FB3AF59FEBB29D648E972DB2C306403D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:11.360{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDEA3C605204A825228B750AA8F7025,SHA256=2E0AD8577DCE35351BEA02CC7DC6C923E3C4CE5AB36F5BCFCB7466798BB0D5E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262565Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:11.525{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0725A0A6355D4D9BA16EDB842AEFFDE,SHA256=356F27DCEB86066DD08DC4FCADFF93A10256034F975F0EEC11E50EEB03780CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:12.579{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BED243AD9C37D90A95807BF80C2D22,SHA256=685B08F8BFFFF4FB90ABD5DEC68FDFEE0CFB3C919B47684874483E7B30FBC5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262566Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:12.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704FBC318955BF65DF98474F2CEB6D9D,SHA256=FE39651E3A57CA9AF0DFD7C3F37C1E01A8C8C23F1175F80C6016DE1A25035533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:13.657{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A67A3F3524377B513D476F90E6DF385,SHA256=19F03A237DA6E1F4F3C69BEB5EAAEFF0BD6252DA20B699C5DE781B3BA09ED748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262567Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:13.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8640CEB0A21B87C0B367A5D558415D01,SHA256=F1791559F12C25381FC6B6A774B4A4FF6E79AFA0AF70A0476C5E0E06767FF94E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:14.673{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCFF4EBAC494C6FADB41D632F1B23CF,SHA256=51EFEB29CF89E8EBC7567BC40ABB03EE8DBF804CE1E1FCFF04DE07ACEAABBD5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262569Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:12.564{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50991-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262568Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:14.603{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F99EB12F344A0F17C1DB8EE23E0839,SHA256=06E43D651DEFCEB334222ED4520B68FC5C6C361E963813CBD3EA00C55D2A44A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:15.673{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACFFEBBD03EC2EA9C4FA6341017A331,SHA256=03426CA7DDBD04015562194A6B82A2C2E9C951542432C384E2CC054C0E03EC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262570Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:15.619{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5375563442B7D412C948DA282419BEA5,SHA256=DC47241ED23795D9C5B3488AFDD56F6942263A681B3C6D2796AFF18674896A29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:12.440{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64252-false10.0.1.12-8000- 23542300x8000000000000000300742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:16.689{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368330CB6DA456CB8AFA160341674790,SHA256=719D1131A55285239247838EE7E83F9CF7F614F13B63885D80865E3B6E8DA373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262571Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:16.634{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E74A6624234EACD2C02AE5CAE92E40C,SHA256=85AAFF3B4BC0437C97999BFFA6323A49F7D891EC2372B78A4E13068AA0FA3B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:17.704{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3809F4A0FB7BBCF120959A344CD9DFB2,SHA256=85E0160C45643CED25C2586B92903235E13CD3E0009597C9D36311E09411FD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262572Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:17.681{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3859F896559584767F65F707D564E0DD,SHA256=AD8FA20418411CC903F08AED06808B2D7CB86279EA9AE0E5508896CEF3989AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:18.704{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67671D18907CA9BAF20D60341FE96C14,SHA256=6C1E4B242595487A7A1C73C0CD33C13304323BDC6E4BFD6A622FA0B72B01FA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262573Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:18.697{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AF6EA5E26E1347448F0E526E18A021,SHA256=E54650F457155462AB4D8854FC28C9ECCC972DD87DBE335F208D8B1B99E163EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262574Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:19.744{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9788C5A64A32FBF582D15FDE305479,SHA256=24E9FE15B1E253ED2CD6EA7E0FD507E975C34CACC228515C69B0D831FB9B6FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:19.720{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEE7B2D91FCD25726298ED43F055791,SHA256=0F36EAE2775F4656B856D95706E8CE26FC8AAC5A2CB017A311A09370F93F4B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:20.751{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A789DED6D55F4E67EFDB4EAA34DA9B,SHA256=64DDB5056A9BB3334C7DFC8F7A83354A19D1AC049546197C4A079FA948D7D839,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262589Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.900{C189DCE5-9498-6149-7927-00000000FC01}8922920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000262588Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.759{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74AA681C2587F81BE8E0FB6192FBDF44,SHA256=1374D5FD6FCBB744BBA74F0F496289C7B53D1CF367313EA056B33C277D57BAD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262587Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9498-6149-7927-00000000FC01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262586Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262585Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262584Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262583Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262582Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262581Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262580Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262579Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262578Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262577Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9498-6149-7927-00000000FC01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262576Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.728{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9498-6149-7927-00000000FC01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262575Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:20.729{C189DCE5-9498-6149-7927-00000000FC01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:21.798{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABC56901532377552EC5CECC380B226,SHA256=505EDDDF711E45D870C48B6F95EBD791CE4597A6B4C78FB464D2E50977E03271,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262619Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9499-6149-7B27-00000000FC01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262618Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262617Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262616Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262615Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262614Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262613Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262612Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262611Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262610Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262609Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9499-6149-7B27-00000000FC01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262608Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.869{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9499-6149-7B27-00000000FC01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262607Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.871{C189DCE5-9499-6149-7B27-00000000FC01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262606Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.775{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F529347D489E733DB8824B732A6FF862,SHA256=16FF599C10A879E5837D2C18635164CA8A60E7C9FBE018529D29D4CFAE766443,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:21.548{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-8791-6149-9F29-00000000FB01}4148C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000300747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:18.393{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64253-false10.0.1.12-8000- 23542300x8000000000000000262605Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.744{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F741ED6DA65E936E391FA77DC5D52619,SHA256=467E895C2D4A0C2A3AC32217939FA0CDEAA625307C3E66C42DB856CCE29FF0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262604Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.744{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5ACB32825EAAA81758F445005EEBBE3,SHA256=C676F4BA496B7BD6B366F6D5A734CFEB83DD801C8A5F417FD222D4C1DF3FEA07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262603Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9499-6149-7A27-00000000FC01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262602Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262601Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262600Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262599Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262598Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262597Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262596Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262595Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262594Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262593Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9499-6149-7A27-00000000FC01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262592Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.244{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9499-6149-7A27-00000000FC01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262591Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:21.245{C189DCE5-9499-6149-7A27-00000000FC01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000262590Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:18.564{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:22.845{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61ECAD3E745302D311E961E711C51389,SHA256=2BA26C03C1EF4A08BFB90B888EF7F2497B3FA53092D25A00BDFB0A75F1EA4758,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262633Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.681{C189DCE5-949A-6149-7C27-00000000FC01}24803028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262632Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-949A-6149-7C27-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262631Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262630Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262629Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262628Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262627Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262626Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262625Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262624Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262623Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262622Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-949A-6149-7C27-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262621Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-949A-6149-7C27-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262620Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:22.541{C189DCE5-949A-6149-7C27-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:23.865{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1753FA12E5700E930F7EAD52C03462,SHA256=7543F9BEB2AAD2AD64B1E7F768DF8FE5D4DDDAAF1AA16FC81169329E63600101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262635Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:23.010{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952E51CDEF7547993C3574E6AB886761,SHA256=F2388FE867A1B8738A1D004E2CD1AC1D01FB8682A2DDE21C9BCC1C9B1C76114D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262634Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:23.010{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F741ED6DA65E936E391FA77DC5D52619,SHA256=467E895C2D4A0C2A3AC32217939FA0CDEAA625307C3E66C42DB856CCE29FF0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:24.881{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5769D435DF336354181754653C22EDF,SHA256=61A182595587A92DC848D88CF0BB508492DDD1FA74BEA235470DA2E0A7AAA218,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262650Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.592{C189DCE5-949C-6149-7D27-00000000FC01}3012520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262649Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-949C-6149-7D27-00000000FC01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262648Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262647Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262646Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262645Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262644Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262643Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262642Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262641Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262640Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262639Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-949C-6149-7D27-00000000FC01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262638Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-949C-6149-7D27-00000000FC01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262637Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.452{C189DCE5-949C-6149-7D27-00000000FC01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262636Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.249{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05ACFBE32685B90E23F01BA46D6E41C9,SHA256=9FF333D4FE8DB9A0FB6095CDCBC7DC7CD9446E061B8FD3805E36409F41AA3F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:25.897{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FB9BCC52282E58B7D0C077D26CA86B,SHA256=02559E8693666FE59BC9ACA48C3846F82576B642FAFBC958F212309C81070A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262666Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.483{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E15BAB840C04AFCDD593BB054769BCB0,SHA256=53B2143D956AA5382038263D5F4E1C0C4B592670B59CDF9E9242B14022625D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262665Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.295{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DB12A8DE1C17299EFDFCB31FE49DB9,SHA256=C337D3FECE17CB37D09793F5435FA756FC721B974701980F875C04814B0E9089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262664Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.264{C189DCE5-949D-6149-7E27-00000000FC01}2324836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262663Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-949D-6149-7E27-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262662Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262661Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262660Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262659Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262658Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262657Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262656Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262655Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262654Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-949D-6149-7E27-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262653Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262652Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-949D-6149-7E27-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262651Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:25.124{C189DCE5-949D-6149-7E27-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:26.897{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AB87E4C02BA4F68D08E39671704124,SHA256=20763E37F764B9F43D83600BA09B4AEAFA934898AE2EB7E59351822C3ED43854,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262681Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-949E-6149-7F27-00000000FC01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262680Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262679Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262678Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262677Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262676Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262675Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262674Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262673Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262672Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262671Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-949E-6149-7F27-00000000FC01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262670Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-949E-6149-7F27-00000000FC01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262669Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.374{C189DCE5-949E-6149-7F27-00000000FC01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262668Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:26.295{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65DF3E5C603A69AD39F597A2673CBDE,SHA256=1A7B27871F88DCEA9F62FC2BFA01DFFA3A4E1D85EFFC1D808ED5F33A86F98431,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262667Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:24.615{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000300754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:24.335{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64254-false10.0.1.12-8000- 23542300x8000000000000000300756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:27.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B8681B68A750E62071530B4B830400,SHA256=9D457D575B99293FB1EF071CC2CA4D5D90A78EF24F41627835CFA88B2BE496F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262683Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:27.405{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A40F9C5A9D2EE43EA2046C29C3196F17,SHA256=03A911A35E142335F0604E830F54C68363D14ECF05CA1B937549217D04211543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262682Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:27.311{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F33670A7665416E301AD8BDCECFCCD,SHA256=BE9D52AEC358EC6200A566F9C6B116EDAF5376F07B8A2F24FB4FC0C9054F7AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:28.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917A7D927786FB933E1911860C29A9CB,SHA256=2BE157E5520DBBF967CE6D32E510B524D9680B5632288053EAF267D1BB8F18DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262684Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:28.358{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239ED07BBBA1EAA79D7ACB19C3A568EA,SHA256=F8AB8369AB7477F711DE6B40A2E1AE788B1D52B5B38DAEAA61E5AE217376E40B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:28.678{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FEB2E4D6CEDED03686FE724DB8AB088E,SHA256=B7BB159B174D989FC3EAEF2B8BAB0778DC25CF719E17224EE9CC901CD67B0E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:29.959{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FE0AB34F03ADD49CE29A0B64F2BF5C,SHA256=DA3D89D003C7D9367FF2BFBF5C13105D8D7308D4148D98953A43D74B74E56ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262685Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:29.374{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6B1918D62E81F5C064D447F11F394D,SHA256=5BF6BB2F68AF2484C33377A4803190945657AF1FFB3CABC4463814CDF4F46E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:30.991{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2F346D9D6DD9B535B0063123903C5D,SHA256=48E18C5DCD64E9136D2BE717C29BE573DC541513F19EBC09770CE108D3AEE51B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262686Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:30.436{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994FFABFC46C12DA29C47199C967476C,SHA256=020F72B3F018FB8DD347862C28FFCD75D8D7844D1834D733F63956FED59A61D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262688Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:29.740{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262687Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:31.483{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0D685C3841A4201081AAFEFD662C19,SHA256=09A0DFB656596C6F6AA2A3F35B0B76D5758C05D65E5A6414CC5064D293B84032,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:29.382{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64255-false10.0.1.12-8000- 23542300x8000000000000000262689Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:32.592{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB0AC88577120B34A2F0CEC15E93D3A,SHA256=7309DAA4471BB364D6C42B02FEA61F25CCE20E00AB8034F6D35279F491036E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:32.006{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38386E4BA226280E19FB6E2E358E14C1,SHA256=DE3A48AC42AE11D81272DB1594A7BE5F72C29D03D7FAF12BBA7EDB3BC11FCFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262690Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:33.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E730435FCB50554B409E4BFC52B012,SHA256=C07E7A80172BF91170C8A2ABE539142E7DAEADC471D7BD824844797E867CC103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:33.022{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676568C57FDEFC0D1B99DE1B224FD9EA,SHA256=533BD6AD24E93DE54C07EA4089AEC7BFD8CFD77B2B84B33A6571F967EC0480ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262691Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:34.639{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E001D07EE1A9B4716719F8D86268D3CA,SHA256=76A15A1BE0362A1C103E1C1525B48019F0C2B8F6AB219A922DB2BE3FD321C937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:34.037{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554246FEBB09E4BBC3172825C1918B77,SHA256=A9C63BA2DCB8AA6AD8275853B8B225A65D2A0300CAFE1E27EB8A0E16DD40629C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262692Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:35.670{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FBF6259A1E8F3A2FD24984A80B07FB,SHA256=F1F7D27DE10C2DB95A264016C5B66ABAEFD51DF600BAA5CCD874BBE43D6E408C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:35.053{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574090CDA6A5A57A8E858F18D8D0B68E,SHA256=1EB2FDB84B2B0E519BBB227276C8B424CCF17A0D875EC7BCAD404A6068EC278A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262694Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:36.702{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74B499CB0EA170376B7D21628715D1A,SHA256=FEE65E19B3F7ADF9019CE6B59A65BDACDFBB1AB15AD33C329AFD2EA4BD7AB323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:36.615{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:34.460{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64256-false10.0.1.12-8000- 23542300x8000000000000000300766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:36.069{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4C4D22E80E8CB5C4EA8AAAE1265584,SHA256=1FA0634FE325A07F9ADF63BB9DF6E02F43335FB6E0AD9A81687853ADD69F0311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262693Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:36.483{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262696Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:35.709{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50995-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262695Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:37.733{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB1E92919AD40D238574A49A6D69E35,SHA256=D99E32506A9E2B62BA913461F98A514FF37B868DE9DF1E4C2C3DB6B499DBF444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:37.084{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F80F5215FA5294CC4FFEAC7B19A8AC,SHA256=1E70BB539C65C03055D08B5D97E93AF174D82F930A32971F17315089CD9E780C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262698Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:35.943{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000262697Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:38.749{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F561575BC0481862FBC828D693E8088F,SHA256=B5E2E5D6313271D10F34A980E7C03D2176AB03C6D1462BDA6E860BE25E11BD74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:35.913{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64257-false10.0.1.12-8089- 23542300x8000000000000000300770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:38.100{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B35BBA7B34D78A5F79FCD2DDC2FE09,SHA256=637FD137CA34E3ACA0D88A929871B850B231D890260BFBF3BA91CFD27B3DD419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262699Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:39.795{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782A356E2F31A2D2A659A0223FCAD3D9,SHA256=42DD38F66A97790A929E9942246CD529A4B38B466F5D75C0D345167D60AF078B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:39.147{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93694ED8838BAF24FC030530D9F2F1F,SHA256=016120B2A35585B9993DF65EB0BFB5FBBD9742E89F9DBC7B1F57FC843FAE9C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262700Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:40.842{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E0E759F86C24392A5AD684EDD38954,SHA256=D6113618A460776A242B78AC73D7885081EE7573431D3874796618614B8E3F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:40.162{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB574BAFB1564B1635DC2EC1ECFF16B1,SHA256=BEA5AA79699D20973A1FE6003A31EC15C6384F743A4F8EFF84A4582C4D3D449C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262702Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:39.861{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-917.attackrange.local3389ms-wbt-serverfalse146.88.240.4www.arbor-observatory.com34691- 23542300x8000000000000000262701Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:41.920{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFD0764020B19C94BF1A5AF67F012B4,SHA256=07BE7E2CBCB8179D720F76BAD521C3CB95FDB4629DDC5055BA40803A698A1C39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.537{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000300774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.178{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20EEE2D625460EE84B11A92D406DC79,SHA256=8DCB3BE8C072E0CF44808F4D49CEF72A9429E0AF4580B7B6B6237C85569E4A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262703Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:42.967{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE12E0C0067CB9E490738DB5909DDA1,SHA256=905DDA3D6FEAFCD77139952240A4CAA1AF839F67D43D87D913713818EA3B4AA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:40.413{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64258-false10.0.1.12-8000- 23542300x8000000000000000300808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:42.225{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCF85D341EE9CAF0FA4135EED9F2380,SHA256=B623CE27A3790660B24B6859D552CE751C1454377A064981BD9B0F7EFA6F18BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262704Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:43.972{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4C57731CF57314309E7E88EF4F3D08,SHA256=036DD656B24FFBDDD7E594325732F6B27851D1D62AE7711E2CF37A42487ABE88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:41.038{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51748- 23542300x8000000000000000300810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:43.272{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CF2888DF0A2CC76E2AC8A8D67EE465,SHA256=8DE480E78C0D0B8461806B627D0A766EEDF98EB41F3233553BFA209422864C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:44.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C427A76D8F7E8D13F90A0B2786BE09E8,SHA256=3B2EE0ED49DAA17DC48AB5ECB7814FE75D65ABB0354D7F89768043D4338AC0D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262705Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:41.709{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:45.292{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF1A59F602F07734E34BA12C54548EB,SHA256=48E4A7478946A22D2B00300C793E6F8654557E0852978AA68B78CB4E86823083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262706Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:45.035{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F389AFB05C8B2EA831E96D7E38D7CCC9,SHA256=3E0E6F1FEB157BDA822EC7D8A2F0CF7CC8A12639664FB7A22A1804CF45F9CF7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262707Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:46.066{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43990C24FC45BD4E1D033FC7CA28D1AD,SHA256=E565491D5F8A7BB37F6A4490952D656C12668AE38D5FE66E8DE3AA8C89592D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:46.292{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3C9C77DACE38FC07D8011E01729BA2,SHA256=2C9C44902F05E276451D8096D4C7DA62910ADF35EF349E240FF7A759188C345E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262708Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:47.128{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519116EB2BD2A6CEB2DB0B59F97B74E4,SHA256=B8D7C38F787EBABDCBB1BAE4226BF5CBE5FE4E1BFC1A5A020EA9EC98253C3D00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:45.543{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64259-false10.0.1.12-8000- 23542300x8000000000000000300815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:47.323{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14EAC4631BD97BBEBAA2C139682F5E29,SHA256=5358A1B27A5A2396E4BE62BCA3235316D88BE3A898B1FAA4E3C9EE1DE8485C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262709Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:48.160{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3310E25B28F9C4797D322B6F6F3BA42F,SHA256=1EC26E3D7A3808706913B95440FD2D843DDD95223538CFCB50EEB32F2F76A807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:48.370{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35C92E24D6A28D29791FBED69591352,SHA256=61C04F3B785C662AA912CEA0AE367025FC9E913DAE4443600666421ED261716E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:49.386{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4CCAEB2FE7B2CCB69D91D0A4000B89,SHA256=D49776F69B2CB71D987E217ECF76A2C9AA0B3A1ECE3A05E3C74063B83476D20E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262710Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:49.175{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F80501DA96D8AB8741BA26B0EB084B5,SHA256=92DCB399177862049D7F89F14FF8B7390FF135833001FA5AA2CDAFF6CFEA8707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262712Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:50.191{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1CB21EB32E6C384F6B31EDF25DC8D3,SHA256=5D31C2B63B677AB5AC0F7D2B60C2EC3B3E372120FDD71A11F4BAAC98B1BC51EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:50.401{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB533DD385E691432E8A811A6831B36,SHA256=41B49B8C8B4FF9889CCFFE64262F061FAC623C8BFFD75BA29C8E3C7CA1E0A5DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262711Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:47.651{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262713Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:51.207{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC77297501654F708639AC8FD9A8390,SHA256=9CFBF64D48B2FFEF1BE3E05AE51A159E4BDFC1D2BB837AF6F97E7DFA9D8546A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:51.433{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212E8E90E7B51063F7F4F060292CC938,SHA256=B76B352E7D8EBDB1BFDC77061A00D89B4C61211AE572ACF8EC86F19CA25C4B54,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000262739Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000262738Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000262737Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000262736Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\FlagsDWORD (0x00000002) 13241300x8000000000000000262735Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\TtlDWORD (0x000004b0) 13241300x8000000000000000262734Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\SentPriUpdateToIpBinary Data 13241300x8000000000000000262733Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\SentUpdateToIpBinary Data 13241300x8000000000000000262732Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\DnsServersBinary Data 13241300x8000000000000000262731Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\HostAddrsBinary Data 13241300x8000000000000000262730Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\PrimaryDomainNameattackrange.local 13241300x8000000000000000262729Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\AdapterDomainName(Empty) 13241300x8000000000000000262728Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\Hostnamewin-host-917 13241300x8000000000000000262727Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0A58E09F-D310-44FD-B201-200A1616D8D4}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000262726Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000262725Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000262724Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000262723Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\LeaseTerminatesTimeDWORD (0x6149a2c8) 13241300x8000000000000000262722Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\T2DWORD (0x6149a106) 13241300x8000000000000000262721Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\T1DWORD (0x61499bc0) 13241300x8000000000000000262720Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\LeaseObtainedTimeDWORD (0x614994b8) 13241300x8000000000000000262719Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\LeaseDWORD (0x00000e10) 13241300x8000000000000000262718Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\DhcpServer10.0.1.1 13241300x8000000000000000262717Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000262716Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\DhcpIPAddress10.0.1.15 13241300x8000000000000000262715Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:15:52.816{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a58e09f-d310-44fd-b201-200a1616d8d4}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000262714Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:52.222{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61FD857AA34C9D697B2EDAFB06DF5D6,SHA256=4D18D6650583BC0B70CB3312DC4E9065BFCF218C52F633B7E2949E480297B8EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.495{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94B8-6149-052C-00000000FB01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.495{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.495{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.495{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.495{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.495{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-94B8-6149-052C-00000000FB01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.495{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94B8-6149-052C-00000000FB01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.496{5097E253-94B8-6149-052C-00000000FB01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.448{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562607341E4EA76BD213CC7343D59440,SHA256=C9E18D1604215089F90198D9C2BEBB8F683D21DCED910E560372959C29225FD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.824{5097E253-94B9-6149-072C-00000000FB01}32208104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.683{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94B9-6149-072C-00000000FB01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.683{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.683{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.683{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.683{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.683{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-94B9-6149-072C-00000000FB01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.683{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94B9-6149-072C-00000000FB01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.685{5097E253-94B9-6149-072C-00000000FB01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.574{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7DA96B6E88C0EF40283D48D7F7E2D1,SHA256=0EC661EFC093FCE89ADC2C4604184963801928745D0C4BF3BD2649727A9F4FE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262741Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:53.503{C189DCE5-4A3E-6148-0B00-00000000FC01}624100C:\Windows\system32\lsass.exe{C189DCE5-4A3C-6148-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000262740Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:53.238{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90ABA02185FB9908AE871D742B2C5FA,SHA256=4563C79FC4E3569FA69637CE33695BF52A4BEB7EC10810D4B6372C76459F4C13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.293{5097E253-94B9-6149-062C-00000000FB01}68487312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.168{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94B9-6149-062C-00000000FB01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.168{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.168{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.168{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.168{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.168{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-94B9-6149-062C-00000000FB01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.168{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94B9-6149-062C-00000000FB01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.163{5097E253-94B9-6149-062C-00000000FB01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:53.155{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1382MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.588{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E53F4DC0E37C19A62A962DDF094562,SHA256=E5924F7CA911753C64183AC6C875F42D808D71D654844138ED274DA2CB1CA702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262743Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:54.253{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76E56E9FBEEF145977A9E789820C3E4,SHA256=740765C85DB065C89C104B13962F400D9FBD9A920EDA4FA3C7A386A15B910189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.557{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3B19A71D58B2DF6988C3EA2C2CD78FA,SHA256=4EA1994547F67BBDB512C15D45549A156D3E9DF86D094741787C28FEDFC15278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.557{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87DF766E31548F904E95CAB9A4F7289B,SHA256=EA1A61628B0009ACE2B1D126CE1B150DDB393DE44A00D42E3981221278ADA03D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.510{5097E253-94BA-6149-082C-00000000FB01}25281364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.354{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94BA-6149-082C-00000000FB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.354{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.354{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.354{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.354{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.354{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-94BA-6149-082C-00000000FB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.354{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94BA-6149-082C-00000000FB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.355{5097E253-94BA-6149-082C-00000000FB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:54.169{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1383MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.163{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49705- 354300x8000000000000000300850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:51.386{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64260-false10.0.1.12-8000- 354300x8000000000000000262742Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:52.292{C189DCE5-4A3F-6148-1000-00000000FC01}956C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-917.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 10341000x8000000000000000300884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.701{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94BB-6149-0A2C-00000000FB01}7708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.701{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.701{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.701{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.701{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.701{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-94BB-6149-0A2C-00000000FB01}7708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.701{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94BB-6149-0A2C-00000000FB01}7708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.701{5097E253-94BB-6149-0A2C-00000000FB01}7708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.591{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495E8DAAC71F2C2574B5B132C5BB1ABC,SHA256=738AC88C397C4435CC0A25B919900B552FC89C904B4C42582CFBDC8EA353DA7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262747Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:55.255{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD13A3FA843A1B683F399703B13AAC3A,SHA256=0B9DB84658316CDBA10C323DFE6F8C1A993DEC2ACB584255DCFE1863BF2958FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262746Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:52.982{C189DCE5-4A3C-6148-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50999-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 354300x8000000000000000262745Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:52.303{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c840:56b4:9bd:ffff-55811-truee000:fc:0:49:8b3e:4889:7c24:2848-5355llmnr 354300x8000000000000000262744Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:52.303{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:9d93:d216:a306:2edewin-host-917.attackrange.local55811-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000300875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.842{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50999-false10.0.1.14win-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000300874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:52.165{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51219- 10341000x8000000000000000300873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.154{5097E253-94BB-6149-092C-00000000FB01}57765812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.029{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94BB-6149-092C-00000000FB01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.029{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.029{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.029{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.029{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.029{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-94BB-6149-092C-00000000FB01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.029{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94BB-6149-092C-00000000FB01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.030{5097E253-94BB-6149-092C-00000000FB01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:56.607{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928D14214C598994778E4DD750574A18,SHA256=EE2B6E92D8F8C62B54A47092FE3647DF1AA1867B3F16E09616ADC46E5427156E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262749Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:56.270{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4219DD54C37B42B522DBA4917E45CD,SHA256=EF275618E94A5ECE4663A548B6BBFB1218F90692D18452C788A2B799E04FC0F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262748Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:53.589{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:57.607{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FAC762327927BCE500789CFFF6BA7D,SHA256=8F70C1222FAA61A5E377DD637DBDB4C948B31DD5567EFFE91E78A40436BD1698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262750Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:57.286{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30499D0630A975F2B45135DD9294832F,SHA256=B5D0D76F92144D7EF21D09406487C954E162EA0C2D1CA8842037481394B22FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:58.623{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D5568620E2304970C322E0CC153075,SHA256=4199AEE7A70D7F9CA5FC810E527775A605F4415C9C38FEACADFEE38165D26F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262751Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:58.302{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71FCB0145769B5A3F5ED24A401AEABE,SHA256=AFBDDB9A25AF534F68DA39D0DE7021FB45BCF2AF901FD7EAF71B2E60814AA36C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.936{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64261-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000300887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:55.936{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64261-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 10341000x8000000000000000300898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:59.888{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94BF-6149-0B2C-00000000FB01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:59.888{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:59.888{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:59.888{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:59.888{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:59.888{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-94BF-6149-0B2C-00000000FB01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:59.888{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94BF-6149-0B2C-00000000FB01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:59.889{5097E253-94BF-6149-0B2C-00000000FB01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:59.638{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF1E9B3F7E9D6B05CD328713BBD8363,SHA256=83150855E7976290F80534E9AC0DED32B994A4A6DD113847F5322FE20D5BBD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262752Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:59.317{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB807215DC76D11EDBE5A8002872ED98,SHA256=E52E680449730E855AD1B9DB1358B9B8E3EA7DFE97B91A8C83813CF013A778F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:00.654{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759853E532627E5A79832AE6D70B76E5,SHA256=203380B06D7D782516527ADC89F59E957C140F356DB5E860B4FFCE79328B7B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262754Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:00.320{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF15C6EC30E57B599DD291B83DD480D,SHA256=7CC350BB78604BC8FC976BB7C69DFEED102A9ED41B64DCAD98595F8A79358059,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:15:57.389{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64262-false10.0.1.12-8000- 23542300x8000000000000000262753Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:00.304{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1374MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:01.669{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17E15A4C2FCD1B706F6220B9ECB405E,SHA256=D0CF34DF646E58587192C884A5F037BA0F7B1F7B00D789823509976F64C5ECFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262757Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:01.322{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CD9B47D4F679D0F9E90EA16434E125,SHA256=4D584F57E66B7B0B6C400414A9A447BF55D71F06CF7187518D9D5A95D1D676C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262756Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:01.309{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1375MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262755Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:15:59.605{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51001-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:02.685{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608E0D5A738ACA08E5F55DF23BCFB949,SHA256=5BBD8757775273433EB5E62BFE8E580A2A5247FE58462CCE9DF8FB247BCB9ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262758Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:02.325{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B1193B5F3906BB4842DCA8A0E13287,SHA256=D010CDE79C790A70A7590C9816A3AE7F020AB3247274D72CDF3245192BFF347E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:03.696{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAA33C4A09E06324EE81106E45E0376,SHA256=1222642FBF13E2361C3E5E395C2EB18B5DC2547EAB28303F39C596BCD0EDCCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262760Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:03.340{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE34F29CB2F761AFF75FE0B7335B96A8,SHA256=8E752B5A03B0D254C36BB600E4233F55884D015A52E1C36C3B0488333097462D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262759Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:03.293{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8E6D19E409689A45583CEA8BD48A3D9E,SHA256=A84392F64BAEA27F59ED2CD421C41E4F462EB6D2A9443CC0191F15ABE2945B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:04.712{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9DE313B0C64F89E682768111487143,SHA256=1ED97DF45A0D475411B3E1B7AEED08728CE13D6D4C31C16CA41BAED51CDE500B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262761Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:04.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE417A61C0883273260D7CB9B3342515,SHA256=7DB0477C618CCE05AC55E1CD999A4335C75140FF1BC599EA4AA7A4AC796723C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:05.728{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6468B1B4259DE2ACA028E4E292894BB,SHA256=944536009A448D02B9FF1F40BEE9563ED90ECA8F5FA2BF342D700F10D9580C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262762Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:05.361{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B13541A0067B630785A552364F2A697,SHA256=11D7DD7597124CB39B287BD3F5D6928803436564CF8224BCD00C6EFD06099888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:06.743{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBC701F93D1D5E554FF5C53423C61F6,SHA256=A938F706B6D7F6E1376FD834EFC44C62B4CD0D849F2C94AEB10B8BCECE808C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262763Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:06.376{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B30A7B86A45B5C2EBFC1AF13127FBDB,SHA256=37B73E871F9DBDA86791EC972D23A1A17249A5E79839896D0AB4B1931C276405,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:03.400{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64263-false10.0.1.12-8000- 23542300x8000000000000000300908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:07.743{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CE6F1F0B06AB55CCE9C61385530554,SHA256=538D525130C1B5E2E5C8CEB46741AD2C05999FD25C3E4B2A708D9CBBCD1CFED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262764Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:07.408{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B4B4A1D0463365B04618D34EF93950,SHA256=97F382F2B18A8DA7C9A33E2BB9691AF76C8E5D3F93ABD61E18681190815491AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:08.759{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD13FBE29DCB1BC5E4A071F65C6B0ADA,SHA256=2FEECBD8F5697CFBC13BB527558690B290DFA9008E4B321EF17C8066E7D73DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262766Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:08.501{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF4FC4620F9E01228DDC3FBEBC88C44,SHA256=27E7472C748D9B97481D214244618FB815F218CE9BB785C081EB39F735961D10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262765Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:05.633{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:09.759{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C465E5CC71E04CB77EAE37070F4857E9,SHA256=1524A617A3818E3D6CBAF09C1B4106CA1D371896A61ACB45091DEDD444FF5E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262767Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:09.501{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4582566C7BF0C0A793C0E21DD2106E81,SHA256=43451895C0802762427429A7CE78E4F8009694D41BD0E9E3A64EF8F7D4B31F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:10.774{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CC742B19A5C41ECBCE645611120383,SHA256=C87062F58631B9F109825E3F9545B081D68C48B83C433399A8E56D11A5B08E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262768Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:10.517{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82C3901A1ED0D3F7FE6CA346FEA03AB,SHA256=BA19BA535F1458178E0CA382B2223EE42D82E7D52594A50E068D5250C262A6BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:08.447{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64264-false10.0.1.12-8000- 23542300x8000000000000000300913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:11.790{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BEDE5B77CF646748DF37F6F61CFBA8,SHA256=9468A9078BF0E6CFA29236F41D7D27DA702F1FE39DB0B261B9C7FFC987D8489E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262769Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:11.548{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468A147A2B718EE6DBBE136EBF1B40F8,SHA256=BAF10B9027E431E456FD6187AEB297D3B7EA99CC61BCFA4AE3EAD9D66ACE0E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262770Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:12.564{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE43E7849196CD2BCF22B47121CFE914,SHA256=CB22FC0A83C684DB1C94450C6F1C335BA4D1DD0DD70BE1313EE33D2EB7A10BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:12.790{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37D637270A9AF696661CF5741D3B80D,SHA256=48AA919BF4BC53C8AA96FDD9B75F9BB6FA587151E168DE8D2FA93C0D9A7DF206,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262772Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:11.508{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262771Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:13.579{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A11790901B40561D232ACEB251FD1C1,SHA256=32661218696984F63722E26824FFFE6B433F44627EBE8E7B5BA41AA5DB2F477C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:13.806{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900D8CFAAAE24A9E71681F0700FFA41A,SHA256=0BF1063889EFFA0C0F1BCC6AFEEBD7F5973F84DDE289AACC48D521B3B280900C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:14.806{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7424E83DF0280D570D9A44BE6E4EDB,SHA256=ADCEEB8611407FBA0ED2392885DD62307DA0E0F52F28BB01DAFC32F75B7767D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262773Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:14.642{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25831EB8609D87FEF93237FC4017A24B,SHA256=9121C055F56680101B46D24E42168427DDBED53320943AE82A2430882B8079CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262774Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:15.658{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101643AD07AD7E8FE5C3FDC475819E09,SHA256=FBA22FB515674500868D1BC4BCF026FA99FC58A631BCAD52FAFCE8270AD869F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:15.821{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E10FDF424D0D61A61BE828D97D806E2,SHA256=2EEAF53EFC3BEF0B27BBF1BC627EABC9C59642262DC47D8AC89665549890B2E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:13.494{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64265-false10.0.1.12-8000- 23542300x8000000000000000262775Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:16.673{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5DF5472D98213B35682A5CAED87E3D,SHA256=47A4DE2EE455C559472B859D5A5E04A88BBE09CF11FAD8E8A7321A8965F79C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:16.821{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D784E2689604C1202667B1BC7C0431E9,SHA256=08075C94887BD9B0866F1461EDDCA4F3A94D8B5D435BE2EB4DC1317D9D4E3D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262776Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:17.673{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FE82BA4C863BF74034900A4B6D1974,SHA256=83E99220FFBCB76553F0F1BE75E17BD0882498EA405A9D15E000E208C1318A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:17.837{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B520F6E764E10FC973809C9EC2B7438C,SHA256=CF43F7434C87411006A6025B74DF8CB0150C5CFC5F27FFAA9D8CECEFEA675FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262777Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:18.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF96B63C888824B1E1C0376E0BA88EA,SHA256=0CC7604667F02BFCA438AB88DC76BF53C6CF734B55169A2F220BE9F5BA90023B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:18.853{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2A37E9FCFE9AEC8D387612AD263BC6,SHA256=ECA5ADABDAF8EF8DB0A954CD894F782CFB109A3EFEEDB2169FF868A1C57EEC15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262779Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:19.767{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE27582456AD7E7C5B7127644678C5F,SHA256=5ED2A7CF6C09868F22F370A177C695AF2B2412B90B0D0EE192D361F1A59E075D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262778Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:17.524{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:19.868{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531AB7D567082C19AD50D7D48F44212C,SHA256=22089D0DCC13E64425101628C21C00576678E2DF982D4A741B0DD9C3A085CE6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262794Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.814{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BEE0E7B601FFA9C4B0C190E92D9DEA,SHA256=70ED853B1AC87A4F27F1191D012E2064A5ECDC519E2CDBEC912C942817ED5694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:20.884{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E5938AE072000CB40CBD5251194E3F,SHA256=C4588193488DC8AE029A65FE4E39E9AD383AC676D6099E8478C4D17185DD381D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262793Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.767{C189DCE5-94D4-6149-8027-00000000FC01}24602752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262792Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-94D4-6149-8027-00000000FC01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262791Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262790Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262789Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262788Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262787Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262786Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262785Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262784Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262783Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262782Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-94D4-6149-8027-00000000FC01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262781Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-94D4-6149-8027-00000000FC01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262780Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:20.580{C189DCE5-94D4-6149-8027-00000000FC01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000262824Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-94D5-6149-8227-00000000FC01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262823Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262822Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262821Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262820Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262819Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262818Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262817Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262816Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262815Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262814Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-94D5-6149-8227-00000000FC01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262813Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.923{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-94D5-6149-8227-00000000FC01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262812Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.924{C189DCE5-94D5-6149-8227-00000000FC01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262811Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.845{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF97563CBAA09AEF556CD727BD49AD2C,SHA256=18EEDFCB81DFBED7C7E79A8FC3AE23D1F231421D9748D51BEECE16A2568A150E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:21.899{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588974411576DD52C694F5ED7898AB42,SHA256=9D253E5272FA03A57C38044FF27F606C981AF8B1F9C0FEA03C3BD79039F35BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262810Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.814{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A753F6028E6833271A1ECCB1396C4D1,SHA256=690A90B6B0F8CB4636DA05C2283143416AF3A939129BBE27FC38AE8A62496A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262809Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.814{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7226F7A040ADC70A0C8543C79004F15,SHA256=634134929DD121C357363A065E2A3E567D8391277D8950349E7AEABC6B76DFE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262808Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.423{C189DCE5-94D5-6149-8127-00000000FC01}10361016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262807Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-94D5-6149-8127-00000000FC01}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262806Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262805Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262804Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262803Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262802Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262801Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262800Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262799Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262798Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262797Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-94D5-6149-8127-00000000FC01}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262796Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.251{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-94D5-6149-8127-00000000FC01}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262795Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:21.252{C189DCE5-94D5-6149-8127-00000000FC01}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000300924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:19.447{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64266-false10.0.1.12-8000- 23542300x8000000000000000300926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:22.900{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E617B0E4C36F9A4B0D023B0B76A62F,SHA256=B05669A37D416A79DF65354DC875D7B13EAF1D0B0C486757A718DE81FB2F6D0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262837Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-94D6-6149-8327-00000000FC01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262836Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262835Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262834Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262833Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262832Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262831Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262830Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262829Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262828Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262827Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-94D6-6149-8327-00000000FC01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262826Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.595{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-94D6-6149-8327-00000000FC01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262825Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.596{C189DCE5-94D6-6149-8327-00000000FC01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:23.914{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD796B0DDA48DF4C30A1EAE3A8A3B80C,SHA256=DFD9FBFCC23601E3867519D757CB12A795507F1F173471A543C720D884F60131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262839Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:23.158{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3DDFA7072856F2D322457E799FDF09,SHA256=161825D0790E26156159BBA0DFEA1A260BB4BF5A68C3CD3AF8585E568CE4809E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262838Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:23.158{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A753F6028E6833271A1ECCB1396C4D1,SHA256=690A90B6B0F8CB4636DA05C2283143416AF3A939129BBE27FC38AE8A62496A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:24.930{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F482CD24DF158C744CA2BE2BA2DDB225,SHA256=D1B4DFB6DB08A45D1F6FAA78D8F200482121AD7BD23B32B675374B8215340BA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262867Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-94D8-6149-8527-00000000FC01}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262866Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262865Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262864Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262863Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262862Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262861Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262860Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262859Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262858Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262857Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-94D8-6149-8527-00000000FC01}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262856Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.969{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-94D8-6149-8527-00000000FC01}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262855Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.970{C189DCE5-94D8-6149-8527-00000000FC01}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000262854Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.688{C189DCE5-94D8-6149-8427-00000000FC01}572980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262853Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-94D8-6149-8427-00000000FC01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262852Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262851Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262850Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262849Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262848Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262847Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262846Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262845Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262844Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262843Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-94D8-6149-8427-00000000FC01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262842Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.469{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-94D8-6149-8427-00000000FC01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262841Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.470{C189DCE5-94D8-6149-8427-00000000FC01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262840Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:24.344{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AC7E982B32AFE855BE4C81E9E0FAA0,SHA256=D902CB5C6591395FA3A0C23793341AFB1E8F0ABF6FF512A99E6335BAD52D15CD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000300930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:16:24.242{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000300929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:16:24.227{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Config SourceDWORD (0x00000001) 13241300x8000000000000000300928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:16:24.227{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_613C4DCD-0611-4E95-B870-A6B03FE07762.XML 23542300x8000000000000000300938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:25.930{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E36D65AF13FE865BBD6A3E5212233B3,SHA256=7FB4EFBAF3A0C99A9AA0A6416185CF6541EFFF8C26113A5D7296A20F269CD445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262871Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:25.547{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D75C9B3059B4C1B99D54336B45E426,SHA256=6690BD119FE2FFD2E946C13E161A07E7EDC473F9D5C1E57751FA6B07C4C1A3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262870Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:25.438{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A556FC818B3FFECB7C9B54F7DE94CE,SHA256=6E897BE4A39A5E59DBBA6FACC5387FEB0D1CDB6CC9AB5E4E533B6B99C38700D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:23.561{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64269-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000300936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:23.561{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64269-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000300935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:23.556{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64268-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000300934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:23.556{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64268-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000300933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:23.541{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64267-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000300932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:23.541{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64267-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 10341000x8000000000000000262869Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:25.125{C189DCE5-94D8-6149-8527-00000000FC01}5003320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000262868Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:22.664{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:26.930{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA1B0E85108D5EE8333E57C27D759B3,SHA256=0881616D0191F25148187ADD7577E5DFBB2144F05374D1D56CEFC77872F4CE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262885Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.438{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942BCF0D3B8BB9ADE85DBC534C89F998,SHA256=E0B2D317DE0F392E0FED189AED783DD21FD357768408A119C645F5CB052277F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:24.477{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64270-false10.0.1.12-8000- 10341000x8000000000000000262884Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-94DA-6149-8627-00000000FC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262883Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262882Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262881Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262880Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262879Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262878Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262877Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262876Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262875Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262874Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-94DA-6149-8627-00000000FC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262873Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.391{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-94DA-6149-8627-00000000FC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262872Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:26.392{C189DCE5-94DA-6149-8627-00000000FC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:27.945{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C2D78E3526B046F3AF69896788F216,SHA256=0A3F7844AC747948CDD843D911B2D1AB4B64F10B2E5314E9A6B0421FA7F1D543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262887Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:27.469{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79E16A56C2FC1F435704E818BD9CD646,SHA256=4FAC717E3A29B3E537BF819C2533C4EA615A08C9C969BA9D2373F51B7FDC7AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262886Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:27.438{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266B20405F405756066D289C196886A9,SHA256=9D84B764CBFAD044D8A8AECC3304C2A49B73D0A7CA9C9C20F9FD705A78C585C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:28.961{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715367C2CBC124DA2036A9A042A05E6B,SHA256=6E89120543A8A4A70FFF1FCB6E03BE5E890DA17478D8AA376C86701AA2EAB6DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262888Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:28.453{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66D6ACE8757AF09BFB1A77C5F972026,SHA256=AAB79A13E2F46DDA2E306C1ECA60A4FB84B4E2FBFA0AB69054F32A201CAA2AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:28.680{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=935C70684EDA221D11E63DE26030D805,SHA256=D97652376C1959A45B04A1C65D16929A0CF870CA084761162B3647445C824DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:29.961{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E58E569799CCD62C48DCDFBC9DEA153,SHA256=0F1985B27BA3217592F2E7A2948F2E789BB1DF3E755BEA1501F6312B95DAAD7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262889Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:29.469{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FD9EB1465C30BC2A93160D3C7F8D9A,SHA256=2287AF6DA1D7C9A22C0526BA9F489FDCAB682122059FF34120C4C034AC72AD58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:30.977{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD92FC9EFC992557004CAB6DE48523D4,SHA256=002B5C2A79B3313977E644782981B922F7879832E0607FFD7D5B994929667CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262890Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:30.485{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5648A1104D05E5E82F2D4B74253ABD,SHA256=95797194C8A5050A40D56EA2673C467A1887E40CA00680E2015F6E7D37A7F066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:31.992{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6007C629005F9F2A207F5356CCEB21,SHA256=50D15951F9F00FC562E725F9DF81D88EA8FABEF81211E08A0B7545AFBD934A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262892Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:31.500{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084371CC35F25F0DAF98C625CD621E97,SHA256=9311AA449D995E85348D4EFA27ACFA2E4A0CE56535ECED06C44E88569F81B6F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262891Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:28.507{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51006-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:32.992{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95052AE4B077E28D30EF6AA4CB259AAA,SHA256=D3BD320016BCD08904FE77BA9DBEB55B9729C56897B9588735EDC32F9107DC14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262893Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:32.516{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4304E09E4E4A611B0CCE0F8BCB05178,SHA256=1FB595A9CD7290731B25F2DAE5C27C4FA556534F54D46B6EFF3C18CABA51B7D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:30.461{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64271-false10.0.1.12-8000- 23542300x8000000000000000300949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:33.992{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56935CDD3BDF515703FEE60FC7FCB4A,SHA256=BA07EF13A1D614A8A372C8A8A9F717F2D2289454CAA43EE56CEDB8DC6E53D832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262894Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:33.547{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E145D26D10522915519210563FA99F8,SHA256=0C07ACA9610B8FCD7F87B5A997A2874BA3D2AF06947C402E422BFBD04E61ADAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262895Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:34.547{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E2326F28FF564EAF699D9FE5D7E65A,SHA256=1FB8F5DA518AAD6681AC2E5BA9F2E6F191D1FE8A68091175155884EB6D4B3481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262897Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:35.563{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8A7DC12907F12908441FB92283F3B7,SHA256=B3C82C0AF2E070CA93950219D5B3761EA0F60803D3F6E30D02DAE4ACBBCA9929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:35.008{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A900A0CDB895BC7FBF7C8A61135A48,SHA256=E11A056EDE02D5A8127556F58412D45D2D87D95DB961AE86D67E04DC97BD4693,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262896Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:33.569{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51007-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262899Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:36.578{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1F96DF8FF6530D150838C66B6D33F0,SHA256=7C6749B9BA25018C534C00F64B72AC5BBBAF1E95AAA4B34C3EBA68FC1C9940E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262898Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:36.500{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:36.633{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:36.008{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334A51D72EA61A2C2EF3516E4562C1D1,SHA256=CAFFC00815E7E51D44934C2EC8FCBF1C30C41F06F526F3F23A842282C0015918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262900Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:37.610{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F6F7597CD5E554EEE35E8B9130DEE8,SHA256=10955009287FE4055E13E0D7A7949741D291609017E2E710A7469E27F0D09FAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:35.930{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64273-false10.0.1.12-8089- 354300x8000000000000000300954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:35.508{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64272-false10.0.1.12-8000- 23542300x8000000000000000300953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:37.024{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08A31D056C4C0AAC84EA9EC6E1C8311,SHA256=639D6359BE64C1EB5B9D13923794EF994A5BDC819C1911938A6B243A6E104EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262902Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:38.641{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9E9D96F559738608922E784B50A3CE,SHA256=C75BBB9AEE69FFC46C662417B5E0AB55B2D1C678BD8C10776C0457D90F02C3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:38.024{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DB0326EDC45D6FDFCEFE06ECFF3623,SHA256=1527A8AB96BFA13A184FFF4C23576AA3375FAC30365B296D801A5CC3DFC8543B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262901Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:35.960{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51008-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000262903Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:39.641{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C51971A3B6CC84BA0CE0F0D42F0B71D,SHA256=329EA536B372370B3123A2A98DF5BDBE2722581A7D9625D763F64E77004F2486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:39.055{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE501175FE45EC340666B548551C08F,SHA256=9361E57FD8AAE06A26EBC781E7C470AB0207F585682774D7534041297B09F39D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262907Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:40.641{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A634680C35B419CDEC173D96D3B69710,SHA256=9B4796E8E2AEA765F21870BFB3BE41B1EB260F3C55E23965D076372143935986,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:38.958{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51009-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000300958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:40.070{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C943E0743EB7AAB3FCFF1092633085,SHA256=84C4B699319C98062D59D11CBC5AB2B879A702F5BE169A13462A90340FF3A204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262906Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:40.625{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59DE8C4EE1F12691ECFF1E52738FBF55,SHA256=0E1F38E09FF295DE4CF1162B86F4A0DB1A542F16826F7F76C90F730BEDFCAADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262905Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:40.625{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF0BBEA915F643355B25069C7EF85689,SHA256=B13B233C000E7236C5558947B3AA7CB0AD494D1FE3CDEEEA73AE7A9EA5A5904E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262904Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:38.227{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com17921-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000262910Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:41.672{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51C29FB6AD4580431027487A45A4A35,SHA256=1B447768BBA5E64680B82E98DC3AE7C17C1E112654B4FA67E145E4CCCD6C3EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:41.117{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08EA83FBD3761B558C0566ECED5AEF6A,SHA256=54479514BD52A548DFB30AE3CCFE476A983F4DAFBEAA90A71204E4A886BA1B6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262909Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:39.601{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51010-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000262908Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:39.097{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51009-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000262911Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:42.672{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA33ED272425B6CF29F8B55F9C8191D,SHA256=6E6577031C37087040EF0A39051CCED4671CFB7267461DC634B0D96BBBFF1069,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:40.571{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64274-false10.0.1.12-8000- 23542300x8000000000000000300961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:42.133{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A78FB2087296CC2F57806EAAA53511,SHA256=3137B67109388F04BAFB6DADF29FFCA597CA0F816C77128280F37E2D21FB6E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262912Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:43.678{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775E3960199807B753E264B708141281,SHA256=C90E512A6FEC9C6DBA2895857F99CE38EDC31B88132DBFF50ECAF40968452DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:43.164{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574EC04AE5B076DD600BB3C2027F0F0E,SHA256=DBE74153158BEF85E7BE2B77F6275E9A09C90A8C44E3C9B409B48CF334E50E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262913Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:44.772{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8D2655FCEC6BD46C2B6F1399AEA4A5,SHA256=26FD57116DFFCBBAA80B51F235E4B0D3F6BDCAD1B42146F275DC6F68891D2FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:44.186{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C625EDA7FF5820A752D5BA9453F8AA,SHA256=8FFA3DFC7192B2ECC4F7A2896EC4D9C3F80DBA1AB76D0D09BF4FCB87D19BF43A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262914Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:45.787{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18808B48B1D7D269553A626360816E70,SHA256=86D131734D36A70AC343E8FDF706C875E12C02670CE3A607F7B9A9B833429C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:45.217{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3371853D0B70A50C127F3575574E55,SHA256=1CA4B8C456F747C06618E432AED6EEF4AA1C1ED1450CB1544664B460F8130334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262916Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:46.803{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E1267466291293D9E309F1072FA44C,SHA256=DA11CA873FFF7041A3B3C8E472E201ABF2D591882B7B8B64AF1C423E5737BC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:46.311{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA096B9D749B054C169787D7ECA50F9,SHA256=6E41465F6D03DD66961748DDF5976AEF92C03907B3C663920B1A9F6134302792,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262915Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:44.622{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262917Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:47.819{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A011BDAE972D15D771364FFACFD1D17,SHA256=395414398A9DDA36AA18E15892AA4073B0D716C5F6534B92354516AEE80E7213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:47.389{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8397FCAC1EFE50F5DA429E15E9E11966,SHA256=51D6E756FCE79336AE351A5FC7E937BD236E6F8E40D8826E0F495D1F343350A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262918Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:48.834{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772292092FBC4AEE01281694F1725218,SHA256=A82241D95F0BB2AFA4AA2CDD487F3979DC0F7C49E39A8F745A4ECC9A2A45BFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:48.404{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC568AFACCA5D8BA915EFB0ED35D634,SHA256=178C409A66B809D61A9C449612263D7079454ADCFED28DD972310EA3C8DA6AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262919Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:49.865{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2D30C30CD1AC45625CF017E58F8D9B,SHA256=179337E95E33C981D44D65157F9D01CDBF6B2527901310F1022232ED9580515B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:49.420{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709A6FF603BE50A14769D07A5C6344F0,SHA256=3AEB4149ABA6551953611A8675AFDEFA0B09856F07C390E13A289BFF82D17F2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:46.514{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64275-false10.0.1.12-8000- 23542300x8000000000000000262920Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:50.881{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F076423E1996A9A1E2BF8E91BD8EF6,SHA256=3BCF2ECB554E74E5686E1AAFD126CFEBCA0315EA7CAD32DFCC0CF8E4BF2443F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:50.436{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4CB1F7F10E5C57124DBF91EB38E3E0,SHA256=D5D0CFEF8FF2AC1D1EBE2D7E921EBE065D4B8B49764A2CFC4D6438CB0B4FACDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262921Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:51.944{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFCB4232E5BABBF13270A8838DFC73F,SHA256=81FDBAFEAC5D4AC9AB810B95B49508A4DEB44518F7E269A2814F7A3A61202925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:51.467{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12684BB6F86D8C57EBC4C55423BAEE2,SHA256=83CBCB3A83558B0DB782ADF5A3F42B40290DAAFC26B4E8981FEDF987A4163DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262923Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:52.944{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B0893E7CAF3EFF95F7A3AC7AD8D985,SHA256=E7B39FB0DCE825161B4781D73E21A8299730A524FA86B6278B0D15AC02566FA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:52.498{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94F4-6149-0C2C-00000000FB01}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:52.498{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:52.498{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:52.498{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:52.498{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:52.498{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-94F4-6149-0C2C-00000000FB01}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:52.498{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94F4-6149-0C2C-00000000FB01}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:52.499{5097E253-94F4-6149-0C2C-00000000FB01}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:52.498{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DF24422A21284555A518D6EC89FB5B,SHA256=C3D81122FF8B1A11CF56612463A6A9C1E04A199BF888D31181E61C5FD0E41C20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262922Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:50.513{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51012-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262924Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:53.990{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF8BAC23CF7098039CED42FF2172372,SHA256=3085B62656390C66753A025D3036EC3D08184EEAA0BA8B32398FE9EB01419BDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.889{5097E253-94F5-6149-0E2C-00000000FB01}60567280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.748{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94F5-6149-0E2C-00000000FB01}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.748{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.748{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.748{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.748{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.748{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-94F5-6149-0E2C-00000000FB01}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.748{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94F5-6149-0E2C-00000000FB01}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.750{5097E253-94F5-6149-0E2C-00000000FB01}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.529{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA11B818F8F7A77A6314ADED67441D3,SHA256=707F6D3154DE78936F39F00B016E7BAAA8C11E7773D6F53EC8DA3B88BD450643,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.170{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94F5-6149-0D2C-00000000FB01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.170{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.170{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.170{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.170{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.170{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-94F5-6149-0D2C-00000000FB01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000300983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.170{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94F5-6149-0D2C-00000000FB01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000300982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:53.171{5097E253-94F5-6149-0D2C-00000000FB01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.691{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1383MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.578{5097E253-94F6-6149-0F2C-00000000FB01}68565316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.531{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A9867703947583A537A3F6C41B5D27,SHA256=9E7D87D8A11CC5400D6C1EFC81A72193DE6BBCE13442E4EE6F87532273410E33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:52.374{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64276-false10.0.1.12-8000- 10341000x8000000000000000301007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.421{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94F6-6149-0F2C-00000000FB01}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.421{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.421{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.421{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.421{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.421{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-94F6-6149-0F2C-00000000FB01}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.421{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94F6-6149-0F2C-00000000FB01}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:54.422{5097E253-94F6-6149-0F2C-00000000FB01}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.906{5097E253-94F7-6149-112C-00000000FB01}65087596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.765{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94F7-6149-112C-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.765{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.765{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.765{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.765{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.765{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-94F7-6149-112C-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.765{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94F7-6149-112C-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.766{5097E253-94F7-6149-112C-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.689{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1384MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5712EE570357A5D88CA092600EC481C3,SHA256=1F475BB1D2D760CDD3374AEEF35CABBDDBAB6171FBAC909230E1D496D01B4065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262925Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:55.053{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829537497076CF719627772324B679CA,SHA256=6793DE6508200675727E60BC84F167DB268CDED07CB29291A41383F8889A8CC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.251{5097E253-94F7-6149-102C-00000000FB01}61326956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.095{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94F7-6149-102C-00000000FB01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.095{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.095{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.095{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.095{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.095{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-94F7-6149-102C-00000000FB01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.095{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94F7-6149-102C-00000000FB01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.095{5097E253-94F7-6149-102C-00000000FB01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:56.565{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEADE065A9ED10C24B1B2D257D72BB7,SHA256=11A8D56C5CD03EF0DC6A24ED88C58C2F46A1028795F6DF4A1897D824DA47C438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262926Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:56.069{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064EB0FCDF15110D4B9BE6D4FA1DB78C,SHA256=631EE1EF85813BB22661859323ECEDD7FAC3A91E7FBB8625C25C243C2BCECEFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:57.565{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02671A04D7F1053ABE3FB20FDDB5ECCD,SHA256=E361F2AF59B8A31EB72CB0105F6FE0FB8D3C1BB6F9804B67E36920E804B95695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262927Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:57.131{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD1390B7BBA792D2B441E6C58D205E3,SHA256=33CA71AA84576C0D4CA1596C92FC16621B10743AED0C145BE4ADF0B40088DFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:58.627{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E53C4670DD3DC6D9934A76DDA2FA3A8,SHA256=C081488B3C127BDB8A0F3FADD0AEE0002FE3EBFA094E1C765112E155F2C45B40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262930Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:56.930{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse213.184.254.146leased-line-mogilev-254-146.telecom.by64757-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000262929Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:58.131{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F360BCC9350219845F0FC5E4A0B8C6,SHA256=6FBB784FBCAA917680042CD8A3F7D7E927BCBEC80C8E63C262C8931F5F8593FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.940{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64277-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000301034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:55.940{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64277-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000262928Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:55.716{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51013-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000301047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:59.909{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-94FB-6149-122C-00000000FB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:59.909{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:59.909{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:59.909{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:59.909{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:59.909{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-94FB-6149-122C-00000000FB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:59.909{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-94FB-6149-122C-00000000FB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:59.909{5097E253-94FB-6149-122C-00000000FB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:59.659{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9263FA6F77308C1831C5F0A94652B7E0,SHA256=D539A6D2C7F4375AE5D24130CA23A108DF2A8FD211867FDA7BE87EE9B2423CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262933Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:59.240{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0084FDBF874303F4A4E5B82FCFF97903,SHA256=620527AA5616D6D18FC421397FB8BEE122CC9544A91AE6645023AA6695EEC0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262932Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:59.240{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59DE8C4EE1F12691ECFF1E52738FBF55,SHA256=0E1F38E09FF295DE4CF1162B86F4A0DB1A542F16826F7F76C90F730BEDFCAADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262931Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:59.162{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4E5F22497D6023682A889C056CEA05,SHA256=45656F58550C20AEB86C3B3564081060DE265AA9B881785472D75898C4F7D09C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:57.574{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51014-false10.0.1.14win-dc-966.attackrange.local49676- 354300x8000000000000000301037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:57.281{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse213.184.254.146leased-line-mogilev-254-146.telecom.by65210-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000301049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:00.674{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25743CC55206E5F5051CFA9DBA7D4095,SHA256=257CA5A1B65E314FCE11357BDDFE25A70EA633AB116582728AAD2FDE726E9AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262934Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:00.162{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063932395F6A51B473FA8759F0A7A85A,SHA256=3D73DAF4777F0F92EA53C4FBD799C92190FEC15BAB1618744F92745D29963E01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:58.346{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64278-false10.0.1.12-8000- 23542300x8000000000000000301050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:01.674{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D07DB768C3FA77EECFD0E34A12D024A,SHA256=5D89864AE8B3356EC39E572B117F8F3475B9C4F0A4B18CCC840B419722C7C8C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262937Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:01.840{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1375MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262936Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:01.178{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5470966EA560ABB83B44000D6D2B1503,SHA256=2FBEF3F2101125305AC63629CE7F27389AB7B8DC3F88D3FBE1AA3A93FEB13C68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262935Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:16:57.713{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51014-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000301052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:02.674{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D0EDE971CC52CCF2297DBF0A497E22,SHA256=ADB21278219C820CAB6742D1CD18040688E05D5B1A1487057EA157C99829593B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262939Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:02.853{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1376MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262938Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:02.211{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B03E6F38C842CCE2EDEC8BB13993475B,SHA256=716013B4FF78702EA450E9BBBA0BF7639020F86D187D280B01F1B317565728E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:16:59.477{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-57083-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 354300x8000000000000000262942Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:01.655{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51015-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262941Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:03.303{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=97B991AD0B805102A47135F33F62CD31,SHA256=464B3F9D60AA3BBD783A7C9A8B15C225FBEA45F0148B565B2E6F85CE5D86E921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262940Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:03.272{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D4DA7BB5264790220AA506A5AB1345,SHA256=8EAA48A6FD86A4115DA4E0A43D103CA4E47B839DF1DEEC228166B7D44A59B95F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:03.684{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935648820AA582D3F0CD43FC2EAB415C,SHA256=45466EFC89E50BAAE2D90BEB00811C13335E05BAA31FC9B5A4556C375E8ED45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:04.700{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD8E9FE7ADC62284D363E10FEB18B4A,SHA256=C2298CD4908E64A8C3141299E81A84FB065CAEB590B76EFBA83E4DD687C0E28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262943Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:04.301{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695A3B9A5A20C2D9C871B0C0F8BF888A,SHA256=8B892A12F57BCDCC9A8537E553EC2BF3CC8CE5F1ACC3B19413A498AB3C237353,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:03.356{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64279-false10.0.1.12-8000- 23542300x8000000000000000301055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:05.731{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBFD2E847C080A4059DA47D3D2B8331,SHA256=9CC9677A245B00127FCCF1B9CBC2B270C3FC201D80A201769267DEB39A01F410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262944Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:05.332{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EF0180049C24578C7D6D233A3CC68C,SHA256=29B6128DD51A20421395E903D94FD72B8C7767ADB8F7FF46AAE5C13FA5D7C5A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:06.747{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5886922EDCBEF2D562B054764ED5867,SHA256=A8B995385FC02F594A61254E6ECD02868DFC95873EDABA268B2114EC5F7112D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262945Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:06.348{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56C9F34268ED437DADE3C562719D3BB,SHA256=36CC00F2898151ED26CE707AFFA35DA9018EDA2F34015D22355D4B4435B386A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262946Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:07.364{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A22D9376F4D0BAE683941FB7F719430,SHA256=0CA9E6777638938611B7D2EE25354D8B46B561350387C058C046CFB5F942AE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:07.762{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68305E1021E9D4E995242B380570F1E0,SHA256=FC1E56850CC0964691FF3F8541F08D5CC8E576EB36242E4322E1A0B78D97D047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262947Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:08.426{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33115EC4B4451D57AF4363228CEE793,SHA256=CA885FF7927842D9746038044C957569D7B66B0CDC6E47B67FA96609AA7571E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:08.793{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AF47621F640C5EF059040F9A4F4BD1,SHA256=DA170D466523473328553D6A9260D9709873ECD767C737B45983176D4C62ED8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:09.809{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2407A0E0DA50F6D2F84D2DCBC675F86,SHA256=0DB9B42F373C2CE233C0ED253A2B8DE4BA70EFC6CE535B6D8D17C2B827CD3666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262948Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:09.457{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C331A04D0C8580C9288BA74032D0F9,SHA256=0378A24C999FF24386A1F8E23F40AE0DE7EE4C1DA4263EBF6A149A6C0EC6B96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:10.825{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4262A8F340112E758DB76E71778D61C,SHA256=45D15EBDC9958C4BC710F9DD2E2B6E57FA0FEF1604923C8BAF38B0C43BCFD408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262950Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:10.536{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F65E21DF02023890E698D7B4559B550,SHA256=9BB32FC9AF60479FE9C753BF465A9EB8CE34F81C17D18B91CDD17C0EBDC18254,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262949Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:07.620{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51016-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262951Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:11.551{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21FFF56088535241CF52B7E3F0952D0,SHA256=F260B3DA819C38A0765DECF9053107FF1CD7644ADE487AAF375A4CACC2DE929D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:09.372{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64280-false10.0.1.12-8000- 23542300x8000000000000000301062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:11.825{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FF131988CFB7C0ED258707C18D4D47,SHA256=3E122A908359000FD4F3F8FD63F3F0C72F3C57D6A37BF31277B763C53F4F1232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262952Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:12.582{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF268D7AF82DA5013129E516B81BA334,SHA256=B8E79D1EA6D0ABC1981F7618107442CEE3A73D916353E42AFF546D172FB778A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:12.840{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D8A352EC8A6BE881781A0922BE2F36,SHA256=D7F6535EB428C85BE7F288922F0B3662D2D24740A78297B6129C3361C809E3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262953Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:13.614{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EA048DC11C0292C32E2BFD7BFE27AF,SHA256=BB4B34139EAC24DC36AE1EAAAC09F8F93E03323BBA2617AE9E5350C61A09C5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:13.840{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A33CB059E4D4E3F14649694DB22785E,SHA256=EBD9C0664AD6A455ABDCA1430C64408D711104531278EF36B0F3273195ED1BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:14.856{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB04C30802A186A7283436CE7A92B300,SHA256=92E2F82792080A12BF677C36FBC107471D446262845C4A4BA38A656013007F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262954Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:14.629{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95867F1580F5C1FADC903C3EBE23257D,SHA256=6EB47D8F39D885D914BA3F946F8102A091B653B3638E8E01D0AF655919518073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:15.887{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF484E97745B6CE4448E5D7764FEE969,SHA256=2599B5C37F64068190F6622E9AFA5334F8E982422C544D743459F8EF059A1D0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262956Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:13.589{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51017-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000262955Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:15.676{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BC501E3D06417F366143131CD32B55,SHA256=75B7B799201CB3EBF2A848C85705A4CC4B3A6805575F42C0B6DEA67C7452EDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262957Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:16.707{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FAC45D39010D8EBBCB326CA4D77877,SHA256=9C0E791907D167866BF8701CB99C9AEF7D65AF12F36E6A0717BDC480820F197A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:16.903{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83444175F617BCE09411802C3302EDD1,SHA256=A7C5C96392718305547C6A02CE4BC6FC6B08ACD2A2D18055D9AAF2F335519353,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:13.694{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om50433-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000262958Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:17.801{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4084AC7197FBB02565F0D30E763DB34,SHA256=4846341455FA5CF66CB45B37F09662E4D1ECB53DD009DE5D1E69787690A88420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:17.903{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B5D9EB5475A82E93262BDF06C631EA,SHA256=8F4F6CCA80FFD7F5E301A9BFDB3BFF05D0F912D47F9B028AC4DA2ECEFD25C3C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:14.372{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64281-false10.0.1.12-8000- 23542300x8000000000000000301074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:18.919{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C953F6713182D83361F8E83AE363515C,SHA256=0A9A3EFA9FACDBF95BAA8B91BE98DC2118DD50DB5906D74844C319987A409227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262959Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:18.911{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3420DC634F9F5B405D6A2AC43FAD2C,SHA256=7FCC8AED3CF8A8B23E2E5AF8DF7D58F559AB7D626F2C04A33F37F8CF5AC79D7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:18.012{5097E253-483D-6148-1600-00000000FB01}12926992C:\Windows\system32\svchost.exe{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:18.012{5097E253-483D-6148-1600-00000000FB01}12926992C:\Windows\system32\svchost.exe{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000262960Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:19.942{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F37EE71231B81B2E05D7E616CE393F2,SHA256=6F704A2843549C30468E79D8C2BF8F5337E7D34DF615CAE69FE6CF7FBD9FD007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:19.934{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86564456D46096AEF4741DF259C45201,SHA256=991C07FCFE2401E73DC294E2D2C7A16E27EB9EA20ACE48AE401EF2A551CE1604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:20.934{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58193DF23DDDF4973EB2D5914433E613,SHA256=01EF59379CB2600FDC32F4C6A1D4D0D17EC1665B83386BF99E6488B1A418A2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262976Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.973{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BADC2DAD647B9A2128BD126B0B8B76,SHA256=08EB7DE559EEB54AB055343167F388E58325375BE2E7A581F9D49C6A7D671AAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000262975Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:18.667{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000262974Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.739{C189DCE5-9510-6149-8727-00000000FC01}16403428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262973Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9510-6149-8727-00000000FC01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262972Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262971Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262970Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262969Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262968Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262967Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262966Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262965Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262964Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262963Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9510-6149-8727-00000000FC01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262962Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9510-6149-8727-00000000FC01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262961Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:20.567{C189DCE5-9510-6149-8727-00000000FC01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:21.934{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD1CC8280E0D0A9FB002DDA168E1E5E,SHA256=4956B1E486F52AC98B5FFD333651249DAF65FAF1343F3B2699D60EAFB721E9FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:19.450{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64282-false10.0.1.12-8000- 10341000x8000000000000000263004Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9511-6149-8927-00000000FC01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263003Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263002Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263001Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263000Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262999Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262998Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262997Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262996Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262995Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262994Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9511-6149-8927-00000000FC01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262993Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.801{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9511-6149-8927-00000000FC01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262992Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.802{C189DCE5-9511-6149-8927-00000000FC01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000262991Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.754{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75B12E6C53AA8A18B3A143F404C38DB3,SHA256=587130F7ADA2BCFEF8A68F14AC31BA81C8F72A98BA5E61451880D8AF5E2D5BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000262990Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.754{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0084FDBF874303F4A4E5B82FCFF97903,SHA256=620527AA5616D6D18FC421397FB8BEE122CC9544A91AE6645023AA6695EEC0C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000262989Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9511-6149-8827-00000000FC01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262988Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262987Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262986Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262985Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262984Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262983Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262982Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262981Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262980Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262979Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9511-6149-8827-00000000FC01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000262978Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9511-6149-8827-00000000FC01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262977Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:21.239{C189DCE5-9511-6149-8827-00000000FC01}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:22.950{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3059AD596D3AFE2BF258D095800144A1,SHA256=3A78C801451953BF62A284CC3A157F96CC174884F19F67CC6534357F1C78ADBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263020Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.817{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75B12E6C53AA8A18B3A143F404C38DB3,SHA256=587130F7ADA2BCFEF8A68F14AC31BA81C8F72A98BA5E61451880D8AF5E2D5BD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263019Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.662{C189DCE5-9512-6149-8A27-00000000FC01}29324076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263018Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9512-6149-8A27-00000000FC01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263017Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263016Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263015Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263014Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263013Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263012Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263011Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263010Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263009Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263008Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9512-6149-8A27-00000000FC01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263007Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.473{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9512-6149-8A27-00000000FC01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263006Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.474{C189DCE5-9512-6149-8A27-00000000FC01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263005Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:22.020{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BCFBA057481B96C4637035B8BF441F,SHA256=DF5B7DF964FB31F9B0F42D9464334F2503457558CEE99E814A656054DE346C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:23.967{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84AE1946D71E11D668BA44D8B284F4E,SHA256=FBA1E63E468F043205EDD653FC194070FEC19D93EF8F4BC1056ACC991BE88B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263021Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:23.239{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A69B7FB9E287EFB8A9580D922006D8,SHA256=A412747D25AF5C870681C0B24C0C624361B81900780B1732FE286B16F73ADC60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263036Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.568{C189DCE5-9514-6149-8B27-00000000FC01}29722992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263035Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9514-6149-8B27-00000000FC01}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263034Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263033Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263032Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263031Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263030Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263029Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263028Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263027Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263026Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263025Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9514-6149-8B27-00000000FC01}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263024Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9514-6149-8B27-00000000FC01}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263023Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.397{C189DCE5-9514-6149-8B27-00000000FC01}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263022Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.256{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED26420AA728D8F56E03E31DC2B4AB5B,SHA256=6000C0CE5DB1B71CC816DF7E9F5886B05A648DE5CDDD94A8E861481C71FD5DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263052Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.537{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DAF835E9192971C763BD7871D0C1BEE,SHA256=DE658F24A88D1C4A4700AB9669EDBAEFEEB088188074664D0D7895029E15D054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263051Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.537{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B5886F7BAB5C7882052E81680B7FA9,SHA256=F09425766476F023DAC5FD6BCB9FFAD95DDF03934534DC5F0F797167BD1916C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:24.998{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C200D398AC895A651EBFB4B2B1EFA6DD,SHA256=12F20B7ADB287141811E82C82DA3A4EFA341A6D212DD5B8F1D944E0A1D4DF84C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263050Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.209{C189DCE5-9515-6149-8C27-00000000FC01}5123204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263049Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9515-6149-8C27-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263048Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263047Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263046Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263045Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263044Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263043Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263042Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263041Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263040Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263039Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9515-6149-8C27-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263038Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.068{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9515-6149-8C27-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263037Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:25.069{C189DCE5-9515-6149-8C27-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263066Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.553{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EC290F217A6E301E41A48911438901,SHA256=3B0607F33C56F9186E72424417301D29796C47FF945ED2F8409C74801D544E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:26.014{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32E74067C5654863D9797217EA1CA7F,SHA256=B942115A38FF7B9F1C055CD623859A72421E1236A747DE918151AF0D6A20BA02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263065Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9516-6149-8D27-00000000FC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263064Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263063Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263062Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263061Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263060Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263059Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263058Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263057Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263056Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263055Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9516-6149-8D27-00000000FC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263054Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9516-6149-8D27-00000000FC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263053Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:26.397{C189DCE5-9516-6149-8D27-00000000FC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263069Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:27.584{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5CB4084E442DC3830DB2B217D7E612,SHA256=EB26874406092798A756977843AFF1F177BDDE1C34602497C525E2BC40405B13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:25.405{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64283-false10.0.1.12-8000- 23542300x8000000000000000301083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:27.248{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBDAA1B783F60E822CFE54D59542492,SHA256=5440F8CC35DDE7ADAE351F601AD3EDFA910F58A626B5F5F36D5A0E2B4E18CC4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263068Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:27.428{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EB630D1AEEBE2C7B2E577F625F3DA50,SHA256=20B940493877E42F4674BE5BCD4DFB749BFE2238C46A6D727FEA339B9FF80159,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263067Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:24.560{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263070Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:28.600{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31390A9EDC832F7B5BA645CDAD0CE00,SHA256=69066F25D249593517FA4B0CCF1A96C7A38B6ED06F5175DB0193830E7B40EDEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:28.686{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7FEA2EAB64B491B4FADC0B1B77F35746,SHA256=76323D9971F8D77BD1AAF3CDB0D5C52826BEDEDCA0319742353723D31213E1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:28.264{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6964AE94782BCA4E354EC4A7D97D90DA,SHA256=1780ED72E9F9C2B1E0D3DE3A2CC7CCC4483F75413662E1B459DD86DA3EAE0076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263071Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:29.647{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A45ABA4E7DE14F0A3C71F98B3564C92,SHA256=2D3145B685F41BFFED0F147FB07E50FA01FB1F9E2FA5BFF282351F74769B694B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:29.280{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECD385F696468B55EABF15F6A228AC8,SHA256=95FAA73A2B4AEEFF8116BF6B06013A56041E7B10F14F45561E14F1EBB73537BF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000263073Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:17:30.865{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aec1-0x1f5a6a08) 23542300x8000000000000000263072Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:30.662{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E651E388AF105BE83B248183B5E27E,SHA256=840189C24C4F318DAC0A0B474337FDA3710EFEE957E5EBD554369FBC99C6457D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:30.295{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AF05E485D93D8111596C8860484F53,SHA256=4242EA771B721EEAFBA09BDCC1B71ABADF725E62FB0D2268D95F998F11749DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263074Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:31.725{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B349D8DEA5816F3D42122368F26FC6A3,SHA256=EFDE213D9B91E4CA49F80D40983BAFA3EFDE1B0F6F8CD0BB259D96D424C53FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:31.311{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486BAF08D9703133A5514F922D528AA4,SHA256=2B147AA72EA25E928BE9D5324BD63EC2A71AC18E2A8E05AD90E1D65AAC240586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263075Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:32.741{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E32B30ED038A7B49401A1C873F0679,SHA256=1BC352774583953BD199026BBFCA93893424FB2B86E4D84247EA79B33239430C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:32.326{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB9E58C3834235ED3C951D5034D7755D,SHA256=949E2849C4981D5F9A82EE138CD739E9B0A6CA1C24C4BC499D618F899AB2A12A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263077Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:33.803{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC166AF0EB0A5C6D39DF70F30F24C3D,SHA256=DA3AC4D5DC189594836B80B3574305A0D119A764C171F0DE432DC695C2E25DD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:31.358{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64284-false10.0.1.12-8000- 23542300x8000000000000000301091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:33.390{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB1DD40CDC4FADF03CBEB69B644858F,SHA256=6D574D3AEC50D99B4C34ECCC0C3F60E28F4CF96AD67748022A785AB8DD5241FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263076Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:30.559{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263078Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:34.819{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A918F451F46259D898A149B599D058B4,SHA256=BF5E329E3F49B5136DF5B545018690C04AA37328546B9ED3CFC060EF3EC3E1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:34.406{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84D2E272BFC16CCA287B47D3A540C22,SHA256=27E1C4028E8BCB73DC07650E2EA645485BC0CEDDD774F3A1DC2DA52D37FFFCD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263079Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:35.834{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353931BE6542C281E3F12F9D3231DE1F,SHA256=F86D3976B3CFAA30FF3DB3A9BBE7F291BD5FB19A70A717CD1CCF6C89661D0831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:35.625{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9CDDE08A388B6BBFC857E939EFD09B,SHA256=7DFE92EFA3EF154C36CDA558BE0123E0BE9B7A83D30A9C3FD7504871824C16D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263081Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:36.881{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA4D1374E76FDC1D89DE18E95103A63,SHA256=D4E23145F2319C8791EEAAE9DCED57E07285037AE2AFBDDD8490270A075517D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:36.656{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:36.640{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C4693E86C16847C884A31310928F7E,SHA256=31D768650F111651E27FD102C5DC0458872B435607E164FE78F9B224F6E12CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263080Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:36.522{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263082Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:37.897{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A860BF73BC2DE58AAB8F64FFC0C6C0,SHA256=E15C18FC02592F0A361CC5A49D8B179BF4C2674572BCFF87A4D670FA618F6A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:37.640{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07771928DCCAA49800A68EE20F8CC879,SHA256=68F6BD016549AAD65FE9B3A4BE3B377D465A7B8A0A946839D8AFE1C590C4099D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263084Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:38.959{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEBD33F87ADE06BDC05A796CEB29F30,SHA256=8AF29ADE1D55D4B756DE78CB60913D7297285E25966E7A741D908AFEF30E9DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:38.656{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B40A2D117910D4EA5A04202098CD8B,SHA256=B3CAE11129FBCC868745EC8F66D3AE3538E6311795131FA5D7BD9AB3A4BF0E8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263083Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:35.981{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000301099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:36.359{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64286-false10.0.1.12-8000- 354300x8000000000000000301098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:35.953{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64285-false10.0.1.12-8089- 23542300x8000000000000000263086Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:39.975{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D021D361DA4707A5161C7B559D1E55DF,SHA256=682435CB0F80A7553BE812055A873B18DD2799877675FE6401EF003EE63B625C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:39.671{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8AE4E08563F9F78B20BF01DF34E519,SHA256=381EEC3AD9D7C2062F23F758E4642BA508159ED3B9F5A832351063FA18B7DAE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263085Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:36.512{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263087Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:40.990{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3555BE07693ED4F77EE445B5ED378355,SHA256=82B4A325BE93785B8785973DD66F04C5315C1009798D2D8BFEAEDEDC24BBF965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:40.687{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2D8417D209A37E19A95DE6719B3469,SHA256=AA7DE7BC2FB35C2C894039D1B071B3B5B142FCD561BF954BAC3EDC8B7D5D8690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:41.703{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABC62970C9823796526C7BEB2EFB406,SHA256=F47ECA60F06FF0C7D153C08B19DE5763C7D8F710D07478B8D9DE2F41C65A0C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.828{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB317AFF704FB707732BB2A50E1918B4,SHA256=39CD704999D2C1E66BE92C9EEF6141DDE50D55C0A9D5D77F45FDE248153B0541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263088Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:42.006{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C239AE10319D98C6E29706C6AA176E86,SHA256=AFEE77287E38DA969444906792E4149F9645CBB8FC9BC07858F1F21D547A9B70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.546{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.468{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-4839-6148-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000301143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:43.829{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DD14A58DDA4CE730FEE56503E76883,SHA256=81DDE0D045960A0A432319AF877647DF1D89B4F170B79D2C985CB19B7EBD05E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263090Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:41.669{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263089Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:43.022{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91CBB3FB818FB07B070C7A5B9BC177D,SHA256=58EB6C50152299ACFD8FC8C8A8928CF05FCDE1525A5DE429A517D6915BB796BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:41.782{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64287-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000301141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:41.782{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64287-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 23542300x8000000000000000301140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:43.484{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=390C796950AD2A92887BC4DEC75BE8CB,SHA256=6E591C6B6A68F28A0B452D4A1D57FB945A48D1391606B5A9946374145FD5B781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:43.484{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3B19A71D58B2DF6988C3EA2C2CD78FA,SHA256=4EA1994547F67BBDB512C15D45549A156D3E9DF86D094741787C28FEDFC15278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:44.845{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE04E5AB13FB357941A3ECA6CFB3CAE4,SHA256=A88B0E5A40C1AC3EF92E7D5D4999F71E449DC3AE9C1BB47A0B4F63385877FC22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:42.390{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64288-false10.0.1.12-8000- 23542300x8000000000000000263091Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:44.025{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80108C9054CD40E269E445FBC5E0C1FC,SHA256=037AA443456E3027C398776B06798E7F64C53F673D0C9BADA6DF33955F65FE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:45.861{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C3FEE428A914181E15BABAA9739C91,SHA256=938C76DB103FFD64378E9304D5B6AC88B09AC58ED54B42C3BDBE2E0219CFDC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263092Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:45.025{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959B019BA25C6004204B5D970F5CA591,SHA256=04C70F08BA83C827E2E1C916AF6B8DDB3F2CCE172F558C555A541F78B088DB3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:46.892{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87BDF533C20281C425C6ADDFAF3CF0BA,SHA256=51B5A22DE5A585370A2CD674555BBFC47A4B6D1C48762971891C24F63C2FCC1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263093Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:46.056{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E94C1808CFE3641817A90F70AFFCCBE,SHA256=40EF253E257A21FA4C4C5FE7AD3EB560E1E36299968B51B4CA335996923D385B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:47.923{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6951246D90D0D59D0BB1FB64A8F2C284,SHA256=6222DF9D0896A919B5051421BA4F53348DF4A092856000CE8FB687ADE03EF83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263094Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:47.071{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737F2AB7810119D459822F7465B4CA0D,SHA256=79C0F393AEF2E44500B340DAAF0E14F45FD86DBC68D42396DF63382A94C616C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:48.954{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD08923C25A64D7E6063F695AACCC1E4,SHA256=665447BE7890897720FDAA700FB445E5CCEEF10A979222177371F965443529DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263095Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:48.087{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EACE60D4DE40467627373C1407A9D85,SHA256=61ACBC079D63F415C7FD60C699B5B1E8027C664E642392C9D0825E746B939000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:49.970{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52F9B963A6C1D864586AD5DE1DFA744,SHA256=0198370FEA4A326123147DCD9D48A2B37A9CFD6FF98909A7123E26544FB67979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263097Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:47.515{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263096Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:49.087{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A784A593BD4C906F98756318A4D1CCB,SHA256=16CEFC094B99C66D7B29ABD96FF64105385DF12B1E12C30C278EEF99BE75472D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263098Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:50.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DDC2DE89D4C267BD4FB4763827213D,SHA256=FE96783D7089D5927846B910F4FD61D143FC38AA82DE9D4886DD9BB216A1A5D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:48.423{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64289-false10.0.1.12-8000- 23542300x8000000000000000263099Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:51.118{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B601A7ADB6247FEB56C7870BB69A03,SHA256=1EE38BC447E11DD75446A4D2EE995205A522BA34ABCE65C0E9D95C8E07E7E5AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:51.564{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:51.564{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:51.564{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:51.001{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500DB01A50BC7DC1BA91D9F259D55502,SHA256=DAD2A8CC88BBA931589A98183A64702CC710015531992DA9A378B9952E3ADA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263100Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:52.150{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638F72A4F3BB0260787629E952346178,SHA256=93B36275CD82F50766696AF45320FFC8CB604CFC2922CCB38719C3519817B00F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:52.642{5097E253-9530-6149-132C-00000000FB01}71967392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:52.501{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9530-6149-132C-00000000FB01}7196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:52.501{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:52.501{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:52.501{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:52.501{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:52.501{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9530-6149-132C-00000000FB01}7196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:52.501{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9530-6149-132C-00000000FB01}7196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:52.502{5097E253-9530-6149-132C-00000000FB01}7196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:52.032{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED3A7FC5D56580CCFE21ED24955590B,SHA256=067CF2A029F40D195BDE4B2E157A173B7839065585E69505E4C2781808FDE39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263101Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:53.150{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD685664519DDC0CF7C4964263771A6,SHA256=A77CEB527877E25688B63809A960F3FE93396905D626703F4B9D32C9857A2742,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.986{5097E253-9531-6149-152C-00000000FB01}58605704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.845{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9531-6149-152C-00000000FB01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.845{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.845{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.845{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.845{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.845{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9531-6149-152C-00000000FB01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.845{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9531-6149-152C-00000000FB01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.846{5097E253-9531-6149-152C-00000000FB01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.173{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9531-6149-142C-00000000FB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.173{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.173{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9531-6149-142C-00000000FB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.173{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.173{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.173{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.173{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9531-6149-142C-00000000FB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.174{5097E253-9531-6149-142C-00000000FB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.032{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32760572AFE64F26DCFE7689744FCC4,SHA256=5E0319FFEC55823E4ACAED51235F275AC8499D883D74CE6BADCA31E065B8841F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263103Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:52.593{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263102Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:54.181{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844509D0CAC8DDC4E845D4E50B40970E,SHA256=326D8F0A18461DE7B89E39AC274FDAE5DC381869DC0E0BFCF30B3260444CCCFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:54.486{5097E253-9532-6149-162C-00000000FB01}72007452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:54.345{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9532-6149-162C-00000000FB01}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:54.345{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:54.345{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:54.345{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:54.345{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:54.345{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9532-6149-162C-00000000FB01}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:54.345{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9532-6149-162C-00000000FB01}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:54.347{5097E253-9532-6149-162C-00000000FB01}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:54.033{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0F778520C4C39C57A31B2319E06B71,SHA256=914EB45EC5BD48E0FEC345842933E05065CF5776DD59D36A40FAF3DCE947452C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263104Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:55.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F0E716C157F8DA1CC543A7A47D22A8,SHA256=F978699E088F6F15B2E730F7C559E7FDD73E2F9194EB58CEBA4A95CF8902956F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.689{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9533-6149-182C-00000000FB01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.689{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9533-6149-182C-00000000FB01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.689{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9533-6149-182C-00000000FB01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.690{5097E253-9533-6149-182C-00000000FB01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.158{5097E253-9533-6149-172C-00000000FB01}48406988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.048{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D20E32419AFA6327F5D6CC20853EAA,SHA256=6ECBD3176385232EF2FA757CEC5CF5B6C06C9BA70E8E673C9159314D54777E85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.017{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9533-6149-172C-00000000FB01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.017{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.017{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.017{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.017{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.017{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9533-6149-172C-00000000FB01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.017{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9533-6149-172C-00000000FB01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.018{5097E253-9533-6149-172C-00000000FB01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263105Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:56.243{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D703F3E37664485625514864176045,SHA256=0E7AE9F31C7821576D80869644276A97EED54AAF833B83988D4C68B67AAD7936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:56.222{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1384MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:56.064{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C209E4AA59077D5964334B40681E9F6A,SHA256=E0C0EE40E24A2AD437E0920B37BE3EE36C908EC86D5D7A92274B74F5CB17F619,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:53.517{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64290-false10.0.1.12-8000- 10341000x8000000000000000263109Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:57.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263108Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:57.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263107Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:57.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000263106Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:57.275{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042E78B963B83C07DBFB5F855922D719,SHA256=BAC7F541571941420EBC2135FCF845784FAF3B61E608F4814A32B7433D2E143B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.954{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64291-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000301217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:55.954{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64291-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000301216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:57.236{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1385MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:57.079{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA6C685760B6FD801C6367C719829BD,SHA256=656FA0188C48704985E0934CA2EECF9AC9C5A02541B204A14CD5689E5FA004C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263110Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:58.306{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB64BB93A8B8DFB1191381D0C4E77D92,SHA256=71B7E0ABA2D0CE34003F7A272E33C67E3803D562D6AFF302B35AEEA80C894B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:58.080{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FEBFA226D6C20493ED21BAFF018BFE,SHA256=EEA8D4148B830BD2A1C99BA0406A59620995028A54D0AB4B2B1B33819851BE07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263112Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:57.671{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263111Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:59.321{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460971A50C5234AB18BDDE802BC91DF6,SHA256=A196FE3A0512B1D4AE00CA339EE936D4CDF812B1C6511B2EDD0896D6A53752B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:59.909{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9537-6149-192C-00000000FB01}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:59.909{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:59.909{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:59.909{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:59.909{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:59.909{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9537-6149-192C-00000000FB01}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:59.909{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9537-6149-192C-00000000FB01}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:59.909{5097E253-9537-6149-192C-00000000FB01}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:59.096{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1E57B24E47FE41E5CE1D5AC2E05CF9,SHA256=7E157C3BF3C2E4ACF9B2CF03F714B27AE8314C08E1BA29C34083BCBBA3CBBAE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263113Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:00.337{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BAD68B8DBD64C76099C638FB2A747B,SHA256=F5F256D0B495D77D4D8FD5F7DFB742E8517A9D74C96E677B304471A19B8E2938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:00.127{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CDD622747C32FBE9163CD0B1A501D1,SHA256=23B8831F6BE5E2A41B9DE90A9CB92A49B9F0BB10867FBDAAB1D41DB04A6D678D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263116Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:01.868{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F379F4DDE96931F4EC34495DD22B39,SHA256=B4D7805322344FFE8D39324B16E9EF69CBDDAE9AB6451222B982BE4A2A794836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263115Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:01.868{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7025AF132C22FC0E2548947936BCE83,SHA256=BEA320773165587D4190DDB980FEDE46DE50B8EA488B9CAC41E1C05A597A55CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263114Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:01.337{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D8AF063555DB9D6C473EE8FABD8E00,SHA256=23838D7696048CA8C4BE37FA91ED4BD1C448FC894F107D844633F7F6A8E8F745,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:00.113{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-56720-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 354300x8000000000000000301231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:17:59.408{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64292-false10.0.1.12-8000- 23542300x8000000000000000301230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:01.143{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEE0D2551E468078F805DEF04A1E335,SHA256=3648784C019A3BFF069BD912026E843CF8BD6FF532679D68FA07594C91164DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263118Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:02.368{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D4A293F8696C9C45A60211436BAF52,SHA256=2F7E9B927E17AE686F5B16CE620A9E34B59003CA5D46ADF8D03DDF8A404E3779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:02.143{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F21D64E21003D61E810FA523D02B22,SHA256=D7BB99286D8CE3762488F27FBBC7B9D68BDE64F54F7F0464B6CC99500C6B855D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263117Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:17:59.524{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-56010-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000263122Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:03.377{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8901EA81178BAE5CE19F4A8CC68A1D,SHA256=61F18407803910410C563387E86213F28B621310807408E67F203C517DE770C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:03.174{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F87D17EA934780442BE5756764B92C,SHA256=191D503CE31F6F42E20F5633034336259C60103B5D69BC6F76C4739139AC55DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263121Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:03.373{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1376MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263120Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:03.307{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D36D3270E590F3E4DB86DC24C76A1A6F,SHA256=4099EEFDA8F28EF6E35AF7B3054A94209D1922BE4CC5A3B18766B74CBFECA9E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263119Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:00.328{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51027-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000301234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:00.189{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51027-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000263124Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:04.387{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8766232F3AD32C481DB626495BECFE0,SHA256=501399C1C42C8647357E7085D5D37DD2D82CF61AA323B942B701B20A8801FC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263123Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:04.386{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1377MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301236Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:04.174{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727B1352A8125E3ACC89BB6FA3E77DFE,SHA256=F91A0AD10D5E82051E3EB3EE4EF3B7665C6C58E1C5F47CE7C9350CE4D05A44CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263125Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:05.464{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBFD3D00E867A1211122DF9BD36A12D,SHA256=39E1AF1F370AD09E2D1B1BD9E4DF585511E0FA1E061FB318E157DF5C3E62C315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301237Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:05.221{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01B7FEF59C156D4AEA5AA9252DDAAD4,SHA256=AC2BEF949226F2B2E5D413EE24FDF8FBDEAE4757C70B532F9E4DA1CBD55BFC17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263127Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:06.495{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790A5F20E354B80DACEDC48B38E8EC04,SHA256=E50A337C7D2089F203FAC885076F70B6F2809F5CB16F545A174FF184FD4CDEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301238Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:06.237{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB57BA5C5B5E47CD74130F898AFCD49,SHA256=5480E4309C412ECFEEC86A28D51730B58DE752A281F1B50E7905F357BC2695A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263126Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:03.625{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263128Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:07.542{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E4A91CC2C4C68DFDB6616E8E127F63,SHA256=E0EE151A66FC31D97C61B155D714698E8727FD1FE12F98163469B627E70C425D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301240Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:07.268{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41A30C7C3B09BF30BB3004CFFBE835C,SHA256=752E8C4554CBF8A3E03BBE59F8406528C923401E7CBCCEC3EFD22AE31F2575E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301239Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:04.533{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64293-false10.0.1.12-8000- 23542300x8000000000000000263129Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:08.558{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90907017DC4EBAD7444A19442EBB3FB6,SHA256=A79BCD2648EBF1650D72565BDC5619F55E88CC9BB3A175B6C4F9A201B972C059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301241Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:08.284{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2904F322F8AC6C00E490724D12922FF0,SHA256=8E1946B36E25BC1F1E5CE1C6A407968F1D633504710B605EA5350321DF8CB0E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263130Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:09.574{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F852267C93B1313A9F81C89C0313B7F,SHA256=D9F492719FFB64FAD3AD22D78C5D67070EF88AAAEE069EACA39794F5103D04CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301242Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:09.315{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083154D072ED88B305632851AFEC019B,SHA256=24D7FCE4A13B07CEF67CFDD9DB137A4711B8E07F2212DF5D0BD687C3822CB58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263131Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:10.652{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAE44EDFDB39CF663179738BEDF9EC9,SHA256=9A63D394D4C627F0D7E3CB8F3F04F13C16E20B5CC808EB9395F42BDE70FC816A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301243Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:10.346{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8285C7B1DBA7E1B11217D4C80CE0262,SHA256=DBD94FB50B54E8626B0BC45BBEF18765BE83CF886990047F526317D0548ED4C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263133Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:11.698{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC7CDFEFC45EED5913919F16485558F,SHA256=5A5F0DF55369CD6046EA13F34CB2C19D466D609C05A3F67C344402BE329DF631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301244Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:11.549{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601E728162258A771D83664BE27C56C2,SHA256=0ED03443ADF9749667957C7D19EEAD2C94611160C02178CB0F46133F564BEA59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263132Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:08.642{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263134Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:12.745{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5DD59DD00CE0B3CF2B62348C4492C0,SHA256=98D7DBFDB76ED8A7949AA3692C07FACA3441873AE2874094B789DF04104EEACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301245Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:12.565{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6665C10345A408A071D384B747714C7,SHA256=1683547D1F5845F245FEE5C437DE016870664349F0174C09972623EED7AD12BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263135Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:13.792{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3980EF0ADA92084727675986F4A1F816,SHA256=91D26EFFBBB7F09A73BC677CC0C328AEA89BB95294BBFF8D4E65E04C2F8DC7B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301247Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:13.596{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C494140F3FDD50CA92AE248A0585707,SHA256=C0B594CBFDDB3DF7D61E70ECFCFF32D935E8B4F047E8EF12C18A4A3CE81E8527,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301246Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:10.486{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64294-false10.0.1.12-8000- 23542300x8000000000000000263136Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:14.870{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032C99F360C34F6CF00D43A13E59CB42,SHA256=1905530BCA1AE58F53E378B118173DDEAD26C6EA0480B805DE9E06452F2E929A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301248Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:14.596{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB4B378BEAA222449B4A559E3E167ED,SHA256=1BE938FD17F78C308360E78F07F13E1E7A0712A53ACDBF1976C0CFB7E7C40532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263137Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:15.902{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E898731C904F773687A840AC1C3F881,SHA256=2D799508ACF026A29EAE08A16C2ADC2C742A9887878744F2FFBD8A9748738406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:15.596{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D44190D43F1B40AC3AF92198DD1B78,SHA256=1847E43FBDC3438D82DAD1D03039EABC0C567D875FAABB44C5163540EDA0683B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263139Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:16.933{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06314A4523889125AFA0590A95B24D47,SHA256=75EDB9AD4859FBA9288E60D379C667CC03974D5D9BB18EC2505E4CDD6B820991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:16.628{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844CB8791F426AE40F09303CE40CB831,SHA256=DA97C713178CA0C589BD234627107DB94F96AB835E11DC531FB8E4701F325BF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263138Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:14.642{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263140Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:17.948{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31B3E1025043438FF5D384CB5BB735D,SHA256=FF58088F255226F1FDAE266F91BC15611BA2839E32BF36CE8BB043F029D9AD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:17.659{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF071003985B44E1D671B5B1B9801F55,SHA256=82F045F9837CFB8223262A519761C4B8B860EA68BE4092E612A1DCC899506129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263141Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:18.964{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13F385E8FBA5B552BF8525827F1657E,SHA256=0A3F9750B6A79ECED8277D32386672C4E64146D25BF5ECE26E45EDEA5523F056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:18.674{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D319FED859F1104173FFB8136EFCE97F,SHA256=DD21C46D9597DCF24C304A07D371CB961FCC357C273E39C31CC45E058BA700B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:16.346{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64295-false10.0.1.12-8000- 23542300x8000000000000000263142Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:19.980{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBC47024AF73895DC10E50E596943DB,SHA256=1DA12F3A9799D13FED1D3B23A54C1F05EF55E554FBAF59F4F3B93BB478C6DCEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:19.721{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8D3D4CD1C6CD96AC5D837A0E221593,SHA256=D01B971FA94857C571B867676F2CB1EFF2D6E6BA8E3CFB031F0CD5400C3AC17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:20.753{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87046847722A8232001A3006FFF0189F,SHA256=3E803EEB55A57E7CBDAC2FA895CE10EB74E3F91316F7DB88E65164AC313CD18C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263170Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-954C-6149-8F27-00000000FC01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263169Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263168Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263167Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263166Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263165Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263164Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263163Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263162Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263161Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263160Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-954C-6149-8F27-00000000FC01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263159Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.933{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-954C-6149-8F27-00000000FC01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263158Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.934{C189DCE5-954C-6149-8F27-00000000FC01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000263157Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.691{C189DCE5-954C-6149-8E27-00000000FC01}12044028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000263156Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:20.685{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aec1-0x3d0d1f24) 10341000x8000000000000000263155Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-954C-6149-8E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263154Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263153Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263152Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263151Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263150Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263149Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263148Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263147Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263146Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263145Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-954C-6149-8E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263144Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.433{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-954C-6149-8E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263143Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.434{C189DCE5-954C-6149-8E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:21.768{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B678A0B1DC26015F372A837C09E1EADD,SHA256=323085F6F07AE5A77829D54447E3EC46B3A93F05D310BD14DEB2E818B4C013A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263187Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-954D-6149-9027-00000000FC01}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263186Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263185Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263184Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263183Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263182Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263181Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263180Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263179Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263178Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263177Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-954D-6149-9027-00000000FC01}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263176Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-954D-6149-9027-00000000FC01}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263175Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.605{C189DCE5-954D-6149-9027-00000000FC01}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263174Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.480{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CDB36CA66A8E67DFAF286AF07D7D039,SHA256=B5E66251EEB2E82CB839FD53C0A4BDF1DF224EFFE6831EA62986CE5926F26013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263173Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.480{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F379F4DDE96931F4EC34495DD22B39,SHA256=B4D7805322344FFE8D39324B16E9EF69CBDDAE9AB6451222B982BE4A2A794836,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263172Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.089{C189DCE5-954C-6149-8F27-00000000FC01}7483892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000263171Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:21.058{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B1E687B765A2D7A4066EA7CBAEDF4D,SHA256=6A6594084B509C87E76B32F9EE39B54943E9FD58FCC8A2ECDE3F931B1BB9B8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:22.768{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90E94252589254FBD41C4F0A42622A9,SHA256=10BDF820EA493807DB49895D24D0837534514983458D34D0E1B4C27B05067612,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263204Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.141{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-917.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000263203Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.141{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-917.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 23542300x8000000000000000263202Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.620{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CDB36CA66A8E67DFAF286AF07D7D039,SHA256=B5E66251EEB2E82CB839FD53C0A4BDF1DF224EFFE6831EA62986CE5926F26013,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263201Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-954E-6149-9127-00000000FC01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263200Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263199Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263198Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263197Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263196Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263195Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263194Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263193Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263192Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263191Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-954E-6149-9127-00000000FC01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263190Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.105{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-954E-6149-9127-00000000FC01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263189Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.106{C189DCE5-954E-6149-9127-00000000FC01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263188Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:22.089{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DCEEB8E97DA01A971FA9D5D1614960,SHA256=7EF3116FDF45CDCA5AE270B799624E5B1B1CE1C04172E6DB1C27A507E5B2A2C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:20.003{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-966.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x8000000000000000301260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:23.788{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B97E2877CDB28AE222171F81B39C8B4,SHA256=4C06EF67BC657DBB3F176E7E7EAC97DA26B2B246AD0C2C36412ED3D8517D979C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263206Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:20.673{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263205Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:23.152{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902608EDDB8934BCE4889459DACB5212,SHA256=45CA89B615C867869C279875DA0516FC344651359EAE6F809BB186E420D776EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:21.393{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64296-false10.0.1.12-8000- 23542300x8000000000000000301261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:24.850{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053A9DAEFB800C87049DAE758A762E15,SHA256=9F742C58E8CADDBAEF93D96B058277C5DE7B3A37647FE76FF9431A49A3F85B63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263221Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.561{C189DCE5-9550-6149-9227-00000000FC01}29522184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263220Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9550-6149-9227-00000000FC01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263219Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263218Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263217Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263216Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263215Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263214Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263213Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263212Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263211Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263210Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9550-6149-9227-00000000FC01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263209Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9550-6149-9227-00000000FC01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263208Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.405{C189DCE5-9550-6149-9227-00000000FC01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263207Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:24.186{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12843A1D26C734EEC4A43A18C0ED3582,SHA256=934DFC7928955208AD78E0013B0469A47886C9AB75948CF953AE31E8069224BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:25.882{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346E7065BCB806112A4B39F3742A70BA,SHA256=75D52CB9FFE6020CAE26C13C2A2D1B6EEB521E77C6258F70F2CDBB0FB50EB3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263237Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.577{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AB76C6F1DC816E6B6F5A636D0BB65B,SHA256=BDE5E5648E002B732AE5EB6932F455E34B38DDF7BB46631CD76BD2E37E28136F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263236Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.577{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EB45655C721C9ECE8A04A73A2B1D111,SHA256=445F5BF972FD40076F0860561982FB8938D550BB0778D9F2D20F7F5B1EEC7304,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263235Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.248{C189DCE5-9551-6149-9327-00000000FC01}31203700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263234Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9551-6149-9327-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263233Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263232Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263231Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263230Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263229Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263228Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263227Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263226Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263225Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9551-6149-9327-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263224Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263223Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9551-6149-9327-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263222Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:25.077{C189DCE5-9551-6149-9327-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:26.897{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2CFA98D54AA572480C4F8BCD263B20,SHA256=03271834E4D0E30510A4A7B7ECBEE1C66F3BB09176E3BA834E7165C61B439A77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263251Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9552-6149-9427-00000000FC01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263250Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263249Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263248Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263247Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263246Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263245Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263244Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263243Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263242Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263241Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9552-6149-9427-00000000FC01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263240Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.405{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9552-6149-9427-00000000FC01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263239Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.406{C189DCE5-9552-6149-9427-00000000FC01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263238Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.311{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526556BE55359CA23FABB98E2E2A9A4A,SHA256=17AA9DF1BF0EC2D136DAF4EFE2407090EE75794741930CBF1F6BEE328E7364C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:27.913{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CC1DFF28A27FD68C80F9CB91CBD180,SHA256=DB7E6676AE1C51A0AA5DA0B7F1AB8BD01CA7F17588E63AF7C0DBC4873A611FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263253Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:27.561{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A697696D0681560B7E06B9AEF7F959AE,SHA256=1FA533322D567FA188D2A67789A205FC7B795BDE0D0FC61EA20198680B3EF91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263252Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:27.342{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAFE2F741BF1EA140C468834A6F1DAD,SHA256=165BF36254FF42C01101AFA18DD9E94D2D3408ED5EA6CBEA41BDA0FF84D7E09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:28.928{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E7DCB3CAAC737CA527BF9393C30C7D,SHA256=A85208BF34C63AF8CF89AD6462259E58270027AACEA3A3E115B8B87F53344792,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263255Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:26.582{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263254Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:28.405{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFF172B5F823A2E1482B1E5BBA3F8EE,SHA256=E439E2507897E75BA66DF5B21C8EED7CBD8C79A82D17CCCE70C7235577665428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:28.694{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EDAD362AE3959593FF859445C3D79089,SHA256=1B4A00E679B9F7560E17FC0BF993BDDEFA4C97942963E538A57B4ED0E3AB1195,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:26.444{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64297-false10.0.1.12-8000- 23542300x8000000000000000301268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:29.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10226BDBE620A7601E90ACC9F0FD3C35,SHA256=27A4318FBA1AF4A16BC8D3B7472E6B0160BC051B311D1A0AD6ECEED7E469A229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263256Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:29.467{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D36F2E424978C6D67B5031EA02879D0,SHA256=83D2F0D227608CAB4044545EE7C306396413ABDAC246C7ABDF75CFA8A1C9DC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:30.991{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C672C9B2D5597DFDDE5DE10EC69052F2,SHA256=2F97061F1B307CF44691392C00ECE3875874E61185832A3DCBE9506B21571AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263257Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:30.514{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730E6B7F90E2C2A06C673A5FB1764E06,SHA256=DD8D3651C8C577AE932DBD6C6A74D4F3F5FEEFEEB4253E5AE5B29763E1139FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:31.991{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87901B0237E833049082B2E76FA2F47A,SHA256=B91EDCF8444A00FB19C8DF1EC5B3D06C1C96B5CAF68A502E460315163A0C9CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263258Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:31.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45221FA269B5E05E01C318A90AF45EB1,SHA256=159B4B1C878EC2E15F812C86348F9E89F8368BB4578B4ED969B5107C68423883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263259Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:32.577{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3997FEF5504CDA93BCF53A6BDF75CBA9,SHA256=AE19FFE50DE678BADDC85C7057E663134A3B424EF8B9DD34C381D0C13DBE928A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263260Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:33.624{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3599E0AF3423C40A2BF0BD0566F06A32,SHA256=9F6216CC35AA7E0B25FA40600F75035907E6DAE479AB74C490C8FB90075063E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:33.007{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912749099BB753707DA4B2080E07884A,SHA256=7DEBA4E49930FAEAE50448BB59B67F69CADA718526C06E93A9A778AC57CFDD46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263262Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:32.582{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263261Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:34.686{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9E2BF7EC761356843D3D559A532169,SHA256=AF55C89AB9969F8D191CE6682D72BE6181E256E5E7877AABD42C486CD4F93D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:32.397{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64298-false10.0.1.12-8000- 23542300x8000000000000000301272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:34.007{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E85B5ACA15D4D15CA1D3EFF607FD091,SHA256=7BA3D2FBC6EE39B14C11DB27EBD2FF195417575EF2E83A0E34462D87734683D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263263Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:35.702{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A51E3BC4EBD2CC45370E0B7761886C,SHA256=0DEAB44CF05D6B23180CEAFA3FA79FA56909D7C19F5792D761DD771AB6F51272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.913{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=03784A6CF877374FA3D661A47245A345,SHA256=17B494DBCEDB199B37106D8E2C7D3D205AF0EFEAF209D3E97D8A3CB900E87B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.897{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-4839-6148-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000301274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.038{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A65ABD5CA226893C858A1BAAFD91B93,SHA256=21BEB0EB2DDD6984561C26D58D8BB78725E947FB865F7D4EEE54F87120028757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263265Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:36.717{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D56D6B7F4FDBDD6B37ABE2B2072380,SHA256=F9540BC77FC711C26F087CC7AF741EEB41144437D8D4F723B3F997BD16180742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263264Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:36.545{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:36.960{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=912BA9A29E1508CE0131DC5B573182EE,SHA256=80DFC1B992DD89A1DCEA6A20E73A42AA2EC9740E640C6E3C4047C4C86A6FC7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:36.960{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=390C796950AD2A92887BC4DEC75BE8CB,SHA256=6E591C6B6A68F28A0B452D4A1D57FB945A48D1391606B5A9946374145FD5B781,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.109{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-966.attackrange.local64300-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000301281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.109{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64300-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000301280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.103{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64299-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000301279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.103{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64299-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 23542300x8000000000000000301278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:36.678{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:36.038{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CDB505D533694B308EF7B410CDF61F,SHA256=26F8F5BA01EA6FDB4D58B80BD60EF17FD010D4EE61891BD7FE5CE00A9848F417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263266Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:37.811{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4DAD1C09047CFD10F1867589A2B32B,SHA256=845F04D830121124F77989643C819FC73F2CF47BAAB6F0594B331A84C2E9D68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.219{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64303-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000301290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.219{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64303-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000301289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.213{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64302-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000301288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.213{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64302-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000301287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.212{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64301-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000301286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.212{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64301-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 23542300x8000000000000000301285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:37.054{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC60C2B3E0AB0212F3BF157E61755C4A,SHA256=659B9E2C3278EC119A85F61683A6C7E6119A6E975C32E3942E2774566A25BC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263268Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:38.842{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC9F14F2840F461B90A2C26B488D989,SHA256=FE40A6DF12D6C33E1DBFD7D617E5D90ED6AA2BD3AA40A6B96F1FD062B4E64813,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:35.975{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64304-false10.0.1.12-8089- 23542300x8000000000000000301292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:38.085{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFBB6D83AAF410AE27B9E38A1AEBD9C,SHA256=D14B0A776BDFDAC0030EBA3177168CFC334754094041D75D54ED49009A07F586,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263267Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:36.004{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000263269Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:39.858{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6B8686C18565B7B6BEF72BD8AD46B5,SHA256=2A8F1B921F81DA7D40EECEC893D3A1C20119A4FBAFDEFE00C43740CC2BDD9CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:39.100{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EEAFD78218F566D1E21215E9F85796,SHA256=CA1C7A93B13B5063AF302D63BC52F787A74DC1136490A2E67AF80EFB5357E642,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263271Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:38.520{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263270Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:40.889{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF59A95EAA9273648AF29041AEAEBDA,SHA256=26E8CD24E756EAD751ADA0DDC47FEA5BC99982B315874606963651A20B8B8626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:40.116{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B64706AD2DBD0DA46163973676FC5AB,SHA256=2CAB3CBF11FA66B290E6984267776D9DD174EEC0A5A42DC0844ACA81758A835E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:37.412{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64305-false10.0.1.12-8000- 23542300x8000000000000000263272Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:41.905{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD63551D3DC3F9B8611276D33E5DF2B9,SHA256=26579FCBBE06485528DE7FF5F97D43D65E6EAF90000A2D679C56E217C223734C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:41.147{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70356C3687F28EE47778046CED2AD064,SHA256=7CE75793A9B18C1BE58B05D2E31FD9B0E7FAA78276A1A937B9FE74F86F608C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263273Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:42.921{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36F0218861E4BC45FE69578EF725436,SHA256=014D6968F0953A2CCB847830CC5850EA21A3E0E8C55160477557E798ECBBEBAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:42.147{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC9A52C9D9C80B1046ED69B9B768A45,SHA256=00EAA53C6F53FD1E64F1E3C0698F4B56A92E72ACDB98C9A587739708E99BF97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263274Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:43.969{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA974BE89AEAE42A185B268032223634,SHA256=A3F75A51687F93A274900A3B85838C1EC664A622071DB5B0AEE5B189ED3413A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:43.178{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3938A197A562519D59946B5E2D36770,SHA256=19F01324362BF457480FF309D168A4CADDF09117327C47D28524692D95EF28C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:44.196{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302C5D32721D05E91B43B216E723DBE7,SHA256=7DD215C8B61BF3EFB4BFC1263CB2D1042C3607313CD3DD3E8770417EDCC5C6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263275Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:45.031{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7A28FC9DEFDF66D93AD6ECC0005522,SHA256=359DA59B00951DB43FF8570DEB166172F49B589F195DA62A45F035F1A28D1334,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:43.429{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64306-false10.0.1.12-8000- 23542300x8000000000000000301301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:45.227{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D8532DB0A8EC9F5D07DEE007A903CC,SHA256=CDAA20B1EA039D74432763495EC3A95CA31EFF6B489196E3137826C0F1A80CD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263277Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:43.693{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263276Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:46.063{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536BA865C9C4D9C22F1FBC919B31D73A,SHA256=96D0FAECF046E6F3034A0D5D9FD32D3F502B0C97F0703C53E1C23DC222BBD912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:46.227{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733238A87A4409DBA0843B19C46BDEB1,SHA256=EFBFF89F37EBD3C39E57812829EA7A2F8E584AEE5355CD528A035B605A4A861F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263278Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:47.094{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA634420D8EBD1FBF1D79C9572692FDE,SHA256=152766A5FD8AF63FC05E2B5152A4969E293522369042CB36D772E2CA2FA1D08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:47.227{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FA8456505A821D4EA10A592E5D467F,SHA256=85CAD4EA9E23668669C13733E4954C759040D238C29A06A2DCFE21203F0D0EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:48.274{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261A2DE28735E54B2DB12AE9B35D986A,SHA256=87B75CDE2AFB2FD489BC38CCB14EE50FE19B1D1D58313869667690A7DB313DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263279Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:48.094{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5B0815F3DD2A01613F474F0E1DCF64,SHA256=033C5276FD4EE31C6462D499B3C516AA97A637E4D3A2C93506E5626E95CA2F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263280Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:49.172{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127AD8B41A7B030FEF22B53ED4650675,SHA256=638909500E6AE29D07098756DA0A2F0C6DE876102154B98B5AB1606974C71FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:49.274{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5AF71C54E7214315F9A5DFE8375F2F3,SHA256=F44BFA2329AB8CA1DBE7BF9EA927A3CA6E2D6FD3C58AD375CB09132431602B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263281Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:50.172{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B3AAF79DDC1D60F3900C73C2F0EAAF,SHA256=950F5C592E086E5B19A99DA38AC2C504CBF0B80B11D929CEAE6B21AC73F35B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:50.289{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7168C3C865259B8E76CF0C0A75B0022D,SHA256=23E4CD7E63D0B7B6738B3BCAC60E045AD882945B4643688FBC00AAFAC9C4DAAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263283Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:48.693{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263282Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:51.235{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78019F3B9294D55BBE75A4B2C88D67EA,SHA256=803F3F8B5A4A448D988FF2814D8465A4477379749B31B3CBF0A5ACF714FAC279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:51.289{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2210DA4EE9FF7EA7198C1A423CAA92,SHA256=426ED47564C43F10FDE2844AC003C2A55B4957AFA87F3478AA8B3780BC82DF58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:48.445{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64307-false10.0.1.12-8000- 354300x8000000000000000263287Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:50.358{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com16823-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000263286Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:52.266{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E574AF01044A6AD6C56D14498803461,SHA256=EFD60A9F725FDEABE85B42B611F5A8CB5E92C4E5884B104D2CB8441B95437EA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:52.508{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-956C-6149-1A2C-00000000FB01}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:52.508{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:52.508{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:52.508{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:52.508{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:52.508{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-956C-6149-1A2C-00000000FB01}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:52.508{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-956C-6149-1A2C-00000000FB01}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:52.509{5097E253-956C-6149-1A2C-00000000FB01}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:52.289{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9D845F3FA6102A642DBC45BF74E9BF,SHA256=3FC11FE3CDDB85C90063565FA5616C879691B53698E582A6A0CD05E1E7E8390B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263285Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:52.156{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC5FCBA94B814180D784C1971F3732E3,SHA256=4B45DBD00D5FDC43510271C22E311A63A934B7D7B7A2B53E4DD08146998FE69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263284Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:52.156{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC6EFD18A07969F435AC8E4BB8AB0066,SHA256=F71E9A5C7003C71BB23A40D16A41A84A2D122E4E014C4F46F6FBC9D74F8ED8DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263289Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:50.626{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51038-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000263288Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:53.313{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF80DC73EDF250C548D8720DFCD0A5FE,SHA256=6137E67B765E113B44C672533D69DE6A8D51F4916E5C2E43A0FA7517724C3242,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.899{5097E253-956D-6149-1C2C-00000000FB01}34963644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.758{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-956D-6149-1C2C-00000000FB01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.758{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.758{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.758{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.758{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.758{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-956D-6149-1C2C-00000000FB01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.758{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-956D-6149-1C2C-00000000FB01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.760{5097E253-956D-6149-1C2C-00000000FB01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.321{5097E253-956D-6149-1B2C-00000000FB01}76806408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.305{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBF26D2A517A5F813E8D91F6BA5772E,SHA256=F7FA1D9F52BA3B870566D309A6F949444AC8343D01776B15265EED2216AF567C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:50.488{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51038-false10.0.1.14win-dc-966.attackrange.local49676- 10341000x8000000000000000301326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.180{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-956D-6149-1B2C-00000000FB01}7680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.180{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.180{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.180{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.180{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.180{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-956D-6149-1B2C-00000000FB01}7680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.180{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-956D-6149-1B2C-00000000FB01}7680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.181{5097E253-956D-6149-1B2C-00000000FB01}7680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263290Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:54.344{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA419AE9A815322BE30ED793848A5BCD,SHA256=CB8FEEDCC402577AF2B597F04FDFA9AE4B037CABF55828E35D2E0919D7E9706B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.539{5097E253-956E-6149-1D2C-00000000FB01}81406368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.383{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-956E-6149-1D2C-00000000FB01}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.383{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.383{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.383{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.383{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.383{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-956E-6149-1D2C-00000000FB01}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.383{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-956E-6149-1D2C-00000000FB01}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.385{5097E253-956E-6149-1D2C-00000000FB01}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.305{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037812445754CA8113A052E997392CB2,SHA256=5AA0BA18B41982FFF112648ACA2ADB360D97B63479E94A052DDCAB20DB49147B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000263302Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:55.891{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000263301Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:55.891{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x050dc36e) 13241300x8000000000000000263300Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:55.891{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb8-0xef6f9815) 13241300x8000000000000000263299Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:55.891{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec1-0x51340015) 13241300x8000000000000000263298Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:55.891{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec9-0xb2f86815) 13241300x8000000000000000263297Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:55.891{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000263296Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:55.891{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x050dc36e) 13241300x8000000000000000263295Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:55.891{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb8-0xef6f9815) 13241300x8000000000000000263294Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:55.891{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec1-0x51340015) 13241300x8000000000000000263293Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:18:55.891{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec9-0xb2f86815) 354300x8000000000000000263292Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:53.693{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51039-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263291Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:55.391{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DF55CAC439858CEF7FFE5707ACA90E,SHA256=B406FF38C8BF1074443C88D4A4AA2232A956154ADEA0C06F1C856DEC134BD46C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.727{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-956F-6149-1F2C-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.727{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.727{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.727{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.727{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.727{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-956F-6149-1F2C-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.727{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-956F-6149-1F2C-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.728{5097E253-956F-6149-1F2C-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.321{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D7D67670EA0B3EF205FAA2D5EC4E83,SHA256=24568ED060B723810727A34A666777099DAD1556177824BEC55CEE4DBA327CB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.196{5097E253-956F-6149-1E2C-00000000FB01}69526032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.055{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-956F-6149-1E2C-00000000FB01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.055{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.055{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.055{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.055{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.055{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-956F-6149-1E2C-00000000FB01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.055{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-956F-6149-1E2C-00000000FB01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.056{5097E253-956F-6149-1E2C-00000000FB01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263303Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:56.407{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BD11A9A12D97C8A5C9830F4A3E10AB,SHA256=942ED6A0ABBA2FC343F46D2A6DB9A6748FC5A8D9B5655EA7503F70F6E2D114DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:56.336{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1E5B0B66575EFC461E90FE742288A7,SHA256=267C5D7F768C83C76524423B6B2D67DBADE76DE7D7322B8E676963465009367A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:54.241{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-55586-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 354300x8000000000000000301367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:53.554{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64308-false10.0.1.12-8000- 23542300x8000000000000000263304Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:57.407{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85581C9F2EC7D8A63A65779229F0FF35,SHA256=465095FF54EA9311A82C0A06507EB6D9DD0821CF538346766C4F3C38DC07B08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:57.763{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1385MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:57.338{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B268C2CA37864CE3D07E22BE330D1F0,SHA256=6F820D830E88754C0DD097275E75491E8CF98062D4FBCE068A9432FEDB46EB08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263305Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:58.422{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F944579697D63846C94B3FC049A3D06,SHA256=CB31835303F47B83FE9E8B4D1A74150511B5E11D29FF25E2170AD8D78D94E8D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:58.761{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1386MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.961{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64309-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000301373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:55.961{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64309-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000301372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:58.338{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56886F9B599402AC58DF0A2EEF01F675,SHA256=F7D10282217B3A3EAAADD722974845FB9C1F680D318AE1A07302A455E03E226E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263306Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:59.438{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F8A1BD206B8EC7F56BCE7A39DDA293,SHA256=70A5BF1C3916566BC6F84981F5C45AA9B68B73A770C9430CA4C315CE8BE1658C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:59.918{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9573-6149-202C-00000000FB01}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:59.902{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:59.902{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:59.902{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:59.902{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:59.902{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9573-6149-202C-00000000FB01}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:59.902{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9573-6149-202C-00000000FB01}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:59.903{5097E253-9573-6149-202C-00000000FB01}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:59.340{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E988673E753BE459333EBE306056E735,SHA256=C4A2C1D64464070D3ADED6FBBA8EEEFDC85AFB45596D9E6F09C9ED89EB92D299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263307Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:00.453{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC31F92F6FA5B6F3929D88E8B541577,SHA256=EEEAA30845358CEDCCA5510F0B76E4F7ED9E0137372B9F48FFB322D385C1F5EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:00.355{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB91BC59B348579E96787FB1739B2694,SHA256=7B9CEA4DE35C7EE160E4B93200CF2F3BF5EB1CDFBCDCE439BE7712230DA8AF16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263309Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:18:59.630{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263308Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:01.469{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848296861D79C117B95B8B9B84329F6B,SHA256=3F53C76E50EC2C87952B5B3411A0987C72ABF083C09C8D6D407018F1D74746BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:01.371{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5FD89A29D92FB002D3F4404379CF2B,SHA256=1D4CAF1938FBC10A652EFA5F7B7B5BC2DD7EF45747B46021B7E19501909ABCF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:18:59.480{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64310-false10.0.1.12-8000- 23542300x8000000000000000263310Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:02.485{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5958D22A73F36771E001566688F3E0D,SHA256=EDE6511B973830FF632A74F7B31185428878235FA1D4A1FA07E33053D12645EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:02.371{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597BDF9D20617134EAAD5E32AF70FCF7,SHA256=7918C57533839DADEA81028D331E2D66C07990A3E08F8D23C8F2C4CF1A51A2CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263312Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:03.500{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A61D05BA0F738F7CA15950DF6215720,SHA256=B7B78A6E62E8AC51B38E47E94F7ED660F18EEDD2A72465DBDF866D3B4B9C21B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:03.386{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901FD4C2006E430FDE6791F705704959,SHA256=70A26E1C5FDF71DF4DB36C13A5F3B714E181A33710FADAE518B66DFE41E9E9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263311Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:03.313{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=79794D7B6428E5B9AA6B74C5451E9671,SHA256=70A5F0EBF65D87F85B6683C44FCF4E15A28083F90846DCD6F3C747A8FEA81006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263314Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:04.909{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1377MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263313Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:04.516{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417AAAF2316781FC95A949E7C55CC1B0,SHA256=5DCBA582F4F66CEAC8E488CC6E53D800F37986EDBEA22726CE27712DD58BDA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:04.397{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC289B071F442BF4322B750BAABCA39,SHA256=33CFED5E235EFF26016060FB76D9663965387CCC4A5D86BD053206B88C9063C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263316Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:05.922{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1378MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263315Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:05.530{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB891AA598999E34B682C4F1625BEDC,SHA256=6DF3D67E1514DCF72D0FD2C64636A0C3ADFA87E628C55EDA71488D5B983A69B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:05.397{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56530CFD4ED4BE71179DCDB3652CAE00,SHA256=174977452BA65E789365A86E4B2BDEBFEE21766B6691AFC2D60AC113908FE84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263317Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:06.531{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090D9DE2DDA585A25E4770C1F7D3A958,SHA256=1BD17EE90F9E5FDFB72FECB4946F3A6CD7403EF4787AAB4C82CC57F5B0429CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:06.413{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E93BBEDEF64A4AE101EFB15904F6E87,SHA256=8BEE0C44D4E1C3A1B890388EADC613DD97C771CDBA687969979B7FC01CA65734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263318Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:07.547{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D39AADAADC8365645DA95535948A71,SHA256=26437B51AFB4548D4FF7AE44938F7E50C3911254B76C56EC268DC3B7FE2FF33E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:05.351{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64311-false10.0.1.12-8000- 23542300x8000000000000000301393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:07.416{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF339CAAE3631C6A965D849E51F67AB,SHA256=518B5A6EF348A195ABA9590451830E1808E2144C316B3EB95A44AFB9B94D33A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263320Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:08.562{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C8569A9656F8DF4DA4D14A41E6C0E9,SHA256=37B996B6EFD9490C8C6675AF22DC9AC0B875031D7726502BFDD6C6EEC288C39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:08.429{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808A3364A3B6951FD53F13DA16E48023,SHA256=982574D126DB602527D08EEB53DE6477200FF084BC84F682A554085645592ED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263319Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:05.534{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263321Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:09.562{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815F793EF59A4F6A8D54C0F8E94BC9FC,SHA256=1CE82FC0F8464907DA648546DD434CA2AC17261065AE2CBF3960F38E2D31CC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:09.444{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771A05B2E96DB048C74FC8E0FD338F01,SHA256=0431B8D2A9258C294D8759323F24705026ABF5AC0824880BEDD56B7EED30AB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263322Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:10.578{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DA15539A4D70E592C7C499E22CE5B6,SHA256=918A63B512A309A6346BF6D3B6A7F54AFE3D999E52358B4CC790851166B703A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:10.491{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEE12604C1B76058A8AAECF99146365,SHA256=82E10A854236D738D3C8222777F1DC4633A099C24F0D36A4B3A00F3C855FD295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263323Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:11.594{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38D6B487489DAA92622BDC1A0850FCE,SHA256=939400759A246EF9998508DED0AB65D15CD4FC747FCA3E7C03027F937E4BBE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:11.507{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8D52FAEE053910F93C7A20E499318C,SHA256=414B7F0162C6D2A09EDD9DF7D7FD406DF70E4823C004A4241A31C0345BDA517E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263324Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:12.609{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9762885EB39034697FF3B404DAC0B1,SHA256=EAC7DF0E360B497336A306C1901DA33C5C5F08F549EFF0978BBE60F9D6ECB9A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:10.459{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64312-false10.0.1.12-8000- 23542300x8000000000000000301399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:12.522{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BC6083A2AD9CC85F3B93FA2DF72D4F,SHA256=17E10F24BFF79D130B84BD956D8F7757911A133F2BF5A9E8A7F1953D8E1F7D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263325Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:13.625{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505236404181A3CDE30C81D100E77FA2,SHA256=212FB67FE6C680A6C3041D650249CB2ECF2C9F66E2F03D918ACB2AC474964E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:13.569{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCA608E881E389BB1DB91E05B20DA0A,SHA256=656D46AEA452A12A079E95287C45E65EEE1AC1BBA7D60A29A486ED2AE0C0E6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263327Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:14.688{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5EA10553DC283DE05C8B1C24B786F68,SHA256=82F9B16712D0AA0017849327DA2530E4193DA6E2CA11593D65BED57A8BDC448F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:14.569{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9738A2DBC810EDC3AF88A9C75715BC38,SHA256=F44ED22C93DFCD92DDBFA2EE348C65338DF5141B8530C5CEEC6251E50111534B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263326Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:11.536{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263328Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:15.750{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BC80E8884A5204947871D036F571C4,SHA256=F92F7BC8022EEA19AF10385D4EF01F5E63B93397041A9CE8AB67F0E8514C7B24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:15.585{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B1AB0B15523C40503518737D06D10A,SHA256=7885E6FFDC5C09D9133C20393C7FD4CAC0A05EA7F9BE5816B79A908BABA2F926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263329Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:16.766{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5820828160A5256B2E6A53E1597CDA,SHA256=3A95C3FD0094A991933359C87AFF7286A3DCD92BF95038847F0B1F13B71BCE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:16.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F915D38C9C7BB1C4AC3C7B8120FBF7B4,SHA256=1B79D7FBB5B9D62EB3D87C2F0DD74B4C87EB28D8A18AC2DEC4AF286999E911F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263330Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:17.797{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDACE505AB3FB2D5BE9956D6D106959,SHA256=6DF2BADEDB69E2EC996DD5481DA01549E97E17CAC884D8ABB0A51042BD7499E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:17.788{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1394711562B9C72BD4FF69196D81B2,SHA256=D4293792D2519CE944EE3CD57E1111FB182C34223A4FB0FBC86C34C9DDBDE033,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:15.553{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64313-false10.0.1.12-8000- 23542300x8000000000000000263331Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:18.813{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0B3BFB8DAEC56CBEC8F612E562C208,SHA256=556F4D079D30CBE5808BAE26252CE40785803156F50DEA9AC815728DCDBE2D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:18.819{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0EB12EECF4DCDC2F40B631A36B5FB9,SHA256=F7AD674CA832D7EC3EA5D7AFCA05539E43229DDC19BD464A8D6F5E3E143F83F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263333Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:19.859{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B5CA21F0E1A7FACFAFB0A92BEC30EA,SHA256=B7928F01E259730144094C4F9E1DF4C6A712B050778606BF8252BD4A12C4AA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:19.835{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29817042B513860AB0858A3C610CFF67,SHA256=CA7807F28455989D4A9F795F9D6E7025737EDE0D5059FF9462082DBCCC406DDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263332Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:17.505{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000263361Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.953{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9588-6149-9627-00000000FC01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263360Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263359Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263358Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263357Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263356Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263355Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263354Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263353Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263352Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263351Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9588-6149-9627-00000000FC01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263350Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.938{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9588-6149-9627-00000000FC01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263349Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.939{C189DCE5-9588-6149-9627-00000000FC01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263348Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.875{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A81BE4534C4B4346B65194B458F2E40,SHA256=F302719E31B556036662DFB4A51557E54E94C5F686614640E2EB0219C6B89517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:20.866{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138A9CD491EF614E228BF50A5CAC9836,SHA256=3F5D6A18D48AB7BF33EDE23C3ACA70762CAC415AAAA073F8E566711B289DF5A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263347Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.484{C189DCE5-9588-6149-9527-00000000FC01}18323908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263346Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9588-6149-9527-00000000FC01}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263345Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263344Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263343Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263342Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263341Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263340Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263339Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263338Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263337Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263336Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9588-6149-9527-00000000FC01}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263335Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9588-6149-9527-00000000FC01}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263334Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:20.313{C189DCE5-9588-6149-9527-00000000FC01}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:21.866{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4E61373747FCB62950C199174C72F3,SHA256=F8633909ADE38041EF55A79CD005B7EE9F4F16A6CACB6187BAEC226AF0DAC1C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263376Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9589-6149-9727-00000000FC01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263375Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263374Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263373Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263372Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263371Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263370Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263369Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263368Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263367Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263366Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9589-6149-9727-00000000FC01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263365Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9589-6149-9727-00000000FC01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263364Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.563{C189DCE5-9589-6149-9727-00000000FC01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263363Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.344{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C42134CE7034FD33216645C4C613709B,SHA256=59375EB2461657FE1EAEF57180C8A8C8E04A37482B17AE35567232B95140C1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263362Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:21.344{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC5FCBA94B814180D784C1971F3732E3,SHA256=4B45DBD00D5FDC43510271C22E311A63A934B7D7B7A2B53E4DD08146998FE69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:22.882{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5974B0B826AE02BA44E2A62C420349D1,SHA256=FC63AAEA9F761D576256139DD7EF1D18675DE68B39FB8B924051670019E43FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263392Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.594{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C42134CE7034FD33216645C4C613709B,SHA256=59375EB2461657FE1EAEF57180C8A8C8E04A37482B17AE35567232B95140C1CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263391Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.375{C189DCE5-958A-6149-9827-00000000FC01}19121692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263390Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-958A-6149-9827-00000000FC01}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263389Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263388Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263387Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263386Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263385Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263384Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263383Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263382Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263381Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263380Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-958A-6149-9827-00000000FC01}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263379Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-958A-6149-9827-00000000FC01}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263378Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.190{C189DCE5-958A-6149-9827-00000000FC01}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263377Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.188{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC68BD98C2541F683DB1DC7D36336E9,SHA256=FEC096D4C9D9AD56C21E738A7D4D9CB00C73BCFBDE23A76DEDC8EE4E00E34D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:23.902{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C346599E0803CA3C7E1DF6CA2280F48C,SHA256=2F0337BDE7B09DD58BB7F1FED7526F937CD60937E0D6C56DED4B1D87D5EE322A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263393Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:23.219{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8B0D9EC4E449791CD9721F11A416C3,SHA256=E71210917EA0540F7F8416C7189F511E2DEBE03A046A5D668BE7BB62BD606D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:21.506{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64314-false10.0.1.12-8000- 23542300x8000000000000000301414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:24.933{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889C57E46DA5811165A6C86F25CAAFE6,SHA256=48BCAA6468F76C20C667C20194C7BDEDE518925F01CD01B032739CD52E76FB74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263409Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:22.630{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000263408Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.613{C189DCE5-958C-6149-9927-00000000FC01}24483208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263407Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-958C-6149-9927-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263406Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263405Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263404Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263403Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263402Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263401Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263400Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263399Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263398Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263397Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-958C-6149-9927-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263396Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-958C-6149-9927-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263395Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.410{C189DCE5-958C-6149-9927-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263394Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:24.238{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2915DE2B3DC0004DFD6625FD433CC6BD,SHA256=1C9411C089BBE991C68DAC2B2D2B2E6074F635F0BE6697888D9703474872E5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:25.949{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3491EC9F788440A416E0A288AA2B5556,SHA256=A5B2D9B886184F4D0E482CAE6B41318DBA60C74A8A1404AD0F0DD9D9460E155C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263425Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.707{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF7692CBDB175DEC761DE3DC5292A1C,SHA256=2BE93687F8FF15590F92B45BD26916E40212F49C10909717C7F85B70B608B395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263424Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.707{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=352DFC33368C95234C517651BB13DE13,SHA256=DE9A0C1D46CE5D6A31EF010B3F0CE108CC9A7833F0AFA2074D11AF9F9B89D3A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263423Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.269{C189DCE5-958D-6149-9A27-00000000FC01}23681824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263422Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-958D-6149-9A27-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263421Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263420Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263419Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263418Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263417Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263416Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263415Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263414Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263413Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263412Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-958D-6149-9A27-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263411Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-958D-6149-9A27-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263410Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:25.082{C189DCE5-958D-6149-9A27-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:26.964{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA7263427F7671B71557B00158EBDCB,SHA256=D7D5DC66914F2E7070797BE997341DD79DD59359591792C6DFD421095B776DBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263439Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-958E-6149-9B27-00000000FC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263438Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263437Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263436Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263435Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263434Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263433Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263432Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263431Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263430Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263429Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-958E-6149-9B27-00000000FC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263428Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.332{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-958E-6149-9B27-00000000FC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263427Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.333{C189DCE5-958E-6149-9B27-00000000FC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263426Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:26.300{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9EF38003E73A39AF9ADC8B0B996EF1,SHA256=1D3BD15B534FBAC3E3380E441F9918CE835CCA317B3AF02C0CC8CA3B722C2D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:27.980{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC150659F40DC61C2F0E04416C46344D,SHA256=44743CE6F6BA488F5545AFC904E8E1549FAEFE9FDB6350D2400ACCE2F374968D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263441Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:27.363{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59225299EB840E1F5C7E496480CDEF92,SHA256=7B755BD79840D56257DAE7BC06B191AFC9E4DAECB412A085105048FEEBA25334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263440Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:27.347{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53A68D6E89DA8DFC11C82EABACF1B0B2,SHA256=74E1E0EE96B89F4CA0553CA02BB343EBE22C7718524E54A7E9DAA09726CE8389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:28.980{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A5A579962E143AEADFE01FFB27DB1A,SHA256=4E34B317ED6BA1C4803AE0EA7E7B4EF8258F19F847B56858C475173573FD227A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263442Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:28.426{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BB6084B46F27D6254F79EF373AAEEC,SHA256=91DC76BEF9F4B30D69E51C69C46E96D703AB8B60194532875543643EB877129E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:28.699{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E300892B8A96F198EF7F14B6171AAC3C,SHA256=BCBB7C8B90D30BE6713C9C117AC21939FC1460577A0900290EB2FA65893F543A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263444Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:27.696{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263443Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:29.441{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579B42197F68F0E7E3A289D06D6BD4A2,SHA256=78B72F5D8AD1B223FDBD09C2BD44686D5717244D99F694B93C4A1782D5D5C485,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:27.370{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64315-false10.0.1.12-8000- 23542300x8000000000000000263445Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:30.457{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251731F6569DEBBAC3FFD7AE8046A34F,SHA256=3E95D2B40CB7D78302E7C82A088049F4BDAE6244A77AD714435672456B293422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:30.027{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77115DFBC3F5E8066BA94823AFDEAB5D,SHA256=571C3178906C7D6CCAEBDA35D82DFE746524B1AF9463810F73BB08C078FA0616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263446Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:31.472{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73C0F89BF93C044B16560E481C1E2D8,SHA256=B5D12BFC080917DA1C8DBC1A2F2C8DAECB1E52589E3B8DA22AC371E19E737269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:31.027{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311CD4B79241B621EADE3BA3ED009D01,SHA256=367976002A85E538063D74414C2D4B974851F1347CB28C207559C876B5EFEF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263447Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:32.550{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A5FEBAC6ED81DE33D27F1DDD481183,SHA256=141FE62C43EDAAEE5066BC396A49BB84E7AA0255AD75BB5B74E451B35AB81A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:32.043{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B169A7E15FF0EF1C4B4731D5A29B53,SHA256=9C06C05E9151C529C37CD727016AB83A540B68E4DC7AC7C0528E2E095A552DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263448Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:33.597{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799D7B499D46707C2B7292880795604E,SHA256=2A2F3A330A1628D3102DEC945C5DF786C513DDDCD3A76FC0754BE850FE0C8F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:33.058{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F11E71039C4C4AE6664816333DB850D,SHA256=67547E60355A563055B3870F492130EC8EA5C3DFD2A87317F4860FCAD8F7975D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263449Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:34.660{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D919560D5FE479161D85B22C2909CC4,SHA256=39A8EA9D144180210B058475A69F60DC9D90E3D5F54F1670C75C21461C34DDB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:32.495{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64316-false10.0.1.12-8000- 23542300x8000000000000000301425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:34.058{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A2CA7C340F19CDDF3B423A40750B06,SHA256=10687BDEE9A3935DD3A343B4E9E55DD26C3CC50946736C7C37F6AAF54D0CB265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263450Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:35.675{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0151B9B1024DD7FB83FA1C0BB0B9C47,SHA256=9FF76658410B65FE696B776B32718F5B7472862474FB1C350841ECE86D27B1D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:35.074{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E55D8094467BC6DAB5E6FF3E4885DC6,SHA256=20CDBDB775EDD3B8DF9B04F232B28E2585944A4C4E495712DE160F246F78FB0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263453Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:36.707{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2262C4C9E6464FC9F81F713C58F414D7,SHA256=CCF0BBF4057BBA95C4E85C4A16CFE573ECF3C911A144A87E8CAAD1AFC3792911,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:36.793{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:36.699{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:36.090{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBF892BF216B2B510DCE06B26970AEF,SHA256=DF5298451F1B01C44F93C4DB69A217F3B1DB422A288F071AEFAE7C2FFB02688B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263452Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:36.566{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263451Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:33.539{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51046-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000263455Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:36.024{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000263454Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:37.738{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998104182B443BE97902B1167B0B93A8,SHA256=DD8524E277FEED94B13F28B4A5D81D83D625DCD47A4DD6AD237F58A5C8EC9767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:37.105{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4101B020DDBB93B7794FD6962FEB59FF,SHA256=A0727B6F821229B5E66D7AF5206EC074DE06120912BEC7D9C43E1733E37B7B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263456Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:38.738{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D1C3E36FAF1A06756123B3D2CEE484,SHA256=07E62422FE239F860C06255305270938B2CF457E7A6E09853534883EC85F3AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:38.121{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25110970C3FD224486AC46B3C83550A,SHA256=42E4F27972F71EE6BB33F9E5AC35F6F55368F93DDD6FF4183A6B1FAFD303C585,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:35.995{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64317-false10.0.1.12-8089- 23542300x8000000000000000263457Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:39.754{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C80B4E3F671040A42EA9FC0F9D4A97D,SHA256=667A01CC9C2194CF99E214C6B03419F7BF1A888DD99FA21D772BF4084A99E161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:39.121{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C981874FA3DB9F3B4E5084CB1772773,SHA256=D5EB8DFA5674FCBC07CA555EF605E0202F77AA0EDFA80E6499EA4D2DA0033D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263458Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:40.769{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8884D096461E47D55565ADCACF9AF38A,SHA256=89DDDAEF3DCE07E9FCD6AE8B75BD841B9E2FA5CB88782EE6497C06D5C25FDFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:40.152{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4239158BDA20BF42476EE5D30E898E13,SHA256=1FB5C5C8A4D0D757D67005B466063A675F4A3F797D5933C0ADF605215836F33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263460Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:41.816{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC05B99BFA452EDBC70B83EA912AA4E7,SHA256=56036D8239A2826410505BD4F7FF488610EA1DCABFC25C29E97538E2FF16BE60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:41.152{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07F1B9D6B5C74EB6DBECF93E3FB2229,SHA256=DA55A21A01CF7D71060BE5A0BC6FC30A634B9A781156276E36F4711EB7176566,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263459Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:38.539{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000301436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:38.417{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64318-false10.0.1.12-8000- 23542300x8000000000000000263461Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:42.832{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183F9C6820A1676BD500AAB339BDDCC7,SHA256=A559DC486333A501D2454842D3E6208BECC71821E724B0315F89843B4E0E1239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:42.168{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF21F8BFEADE8E38207DAE15893D0918,SHA256=0326DD49E33A698536E74D704DED796CBB5363E2B557BE2E7385E87B0AF5FFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263462Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:43.878{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DB600CC46B4B84080FB7A40F3245B2,SHA256=26EC378A0A495F77B14E29892126311BAF0F231AE6CCE5A01D332355A9926D47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.558{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.199{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A605D0E4EC7FEF8E3CE6F08D9C002A,SHA256=E57A3F0780DAE5B5DD90B8195BD80F0C0F6C185F33C19923CC6EA7B69658EFCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263463Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:44.894{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C568ADC872EE1F3C31308AB9A377752,SHA256=74F9A7DA5C26F010257FEF9D9B3E97989D21516B3564009486670BB4DEE797BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:44.558{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237E804D0FF254E33025E0511CE3B742,SHA256=0A0A0050365662D6F83FD9E360EABE2F8018177CC42FA4EACEC8D1ED03AB4DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263464Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:45.909{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDFD3C9EA99E33AA47F072560FFE1A6,SHA256=203DEB71262491A8AC5C93A1E1E773DA5A90B8EBC6DBF10E656AEA272C3859FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:45.589{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9287E2DA291B6ADC788387E33E177813,SHA256=CED1CC6F4538C63712F78C373528C1F81AE31C1569E5E41179388C281D54936B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263466Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:46.940{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F2C3F505109685EDE5DC12B9624325,SHA256=1F5AB0124EC2CC1428ADC0A6126D576B6FC9861761489E4C2CBFB1FF594C6C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:46.589{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AE766CE599E9E309486249A5AF5A38,SHA256=E38A6DF245229D9A9BD8EC74BB14149E5A3836CFB5964E3A46B407CA220E4165,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263465Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:44.540{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000301475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:43.447{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64319-false10.0.1.12-8000- 23542300x8000000000000000263467Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:47.987{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC33B93EFEA8BDF2633FF480B884E91,SHA256=9563F2EBDF829F61507B57B20FD4F7F9868F3E2C3FA72E29F884DD9F650A692C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:47.620{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A6611AD1A3AA2347473E605CF42385,SHA256=CBF20678750EBEB330B2B8BBC65E2C105B1C4C1EFAF39FDC5447E6331909355D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000301486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:19:47.261{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000301485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:19:47.261{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05166719) 13241300x8000000000000000301484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:19:47.261{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb9-0x0e8d7b11) 13241300x8000000000000000301483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:19:47.261{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec1-0x7051e311) 13241300x8000000000000000301482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:19:47.261{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec9-0xd2164b11) 13241300x8000000000000000301481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:19:47.261{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000301480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:19:47.261{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05166719) 13241300x8000000000000000301479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:19:47.261{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb9-0x0e8d7b11) 13241300x8000000000000000301478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:19:47.261{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec1-0x7051e311) 13241300x8000000000000000301477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:19:47.261{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec9-0xd2164b11) 23542300x8000000000000000301488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:48.620{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC5BC0DE7547F75E135899A64F86171,SHA256=3AC5D473A4F7C71F7176809D8F2D8042CF08E67A7DB46E87D45E5B82C9E236B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:49.651{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99C7C5D531E6BA018898FA20C05BDEA,SHA256=E3BBA05C31338BE96B508D69FDA09E91DDA4D425E448572D5776A21E82218194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263468Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:49.003{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7543B1F35C892B00BE6103CD2B177026,SHA256=34C908BD335E1772C80244D16A78E165911C425BA82B08956E7E1D8FC882CC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:50.667{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB96D4E4C89489DD2C645F13301F4A0D,SHA256=9CBBB9E6C67D6B552B260BD8F58DC4CCD042161FD83A28F22E8AAD196D191E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263469Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:50.019{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF520F695C1A10A056686BEF27626247,SHA256=2BC89B1E5232FA43184B23E37DFD7A247A3781624052614BA52FC3C9A27088EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:51.683{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2864D78AA75BF5650320091B3C15CE,SHA256=5C2585DA4DBA317D9C5F86815F08B2EFEB9317229852F3163AEDA1CF11EFF399,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263471Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:49.664{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263470Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:51.034{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40FC7779D575D061E542415238B232AA,SHA256=8254C0C3B3F9CAC2BEEF6E7FA137A102D29C606C3EAFE624B1CCE0DFA14518E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:48.494{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64320-false10.0.1.12-8000- 23542300x8000000000000000301501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:52.698{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B1D8D37CC7E423AC9572A0FF7EB584,SHA256=9C3143FE6655B50593D9972797F8C94BE57CB5DAB9984427D1C06204C0CE169A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263472Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:52.050{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE9285923CEF1DC874EA4BB578CB8E2,SHA256=03CDF923344A556627106CE5427F1B0E8F2908AA70D4F68A54A0F86BA7C8316C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:52.511{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95A8-6149-212C-00000000FB01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:52.511{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:52.511{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:52.511{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:52.511{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:52.511{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-95A8-6149-212C-00000000FB01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:52.511{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95A8-6149-212C-00000000FB01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:52.511{5097E253-95A8-6149-212C-00000000FB01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.933{5097E253-95A9-6149-232C-00000000FB01}75524552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.792{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95A9-6149-232C-00000000FB01}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.792{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.792{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.792{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.792{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.792{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-95A9-6149-232C-00000000FB01}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.792{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95A9-6149-232C-00000000FB01}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.793{5097E253-95A9-6149-232C-00000000FB01}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.714{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44D433DADB43E4E2B3154CC670B26F3,SHA256=73E7C83979DFFC05C4D85FB04FDC8425CD5A758F73B3C5BA9477DC6921C1DC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263473Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:53.065{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D578C7AB247481A634780AFD7CA652C,SHA256=529611E1576C202EB202E5B5959366C4C48FC5FA7A0AF2EF1C15AA430CCD4B6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.167{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95A9-6149-222C-00000000FB01}7560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.167{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.167{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.167{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.167{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.167{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-95A9-6149-222C-00000000FB01}7560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.167{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95A9-6149-222C-00000000FB01}7560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:53.168{5097E253-95A9-6149-222C-00000000FB01}7560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.714{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB391B127E50765765E906B95E971F1,SHA256=86A57263BAAB96CBFA5245AD93B4EBCEBFEF0C5A2D2815CFF07C22A29AF72BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263474Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:54.065{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B37A5D9B2C7FA83FC04BF7970A727E,SHA256=4EBE806294853FAB18F24D97FC31BAAE88CFA881A6482ED82086E41378C43838,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.605{5097E253-95AA-6149-242C-00000000FB01}51447892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.464{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95AA-6149-242C-00000000FB01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.464{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.464{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.464{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.464{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.464{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-95AA-6149-242C-00000000FB01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.464{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95AA-6149-242C-00000000FB01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.465{5097E253-95AA-6149-242C-00000000FB01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.979{5097E253-95AB-6149-262C-00000000FB01}78966688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.808{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95AB-6149-262C-00000000FB01}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.808{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.808{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.808{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.808{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.808{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-95AB-6149-262C-00000000FB01}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.808{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95AB-6149-262C-00000000FB01}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.808{5097E253-95AB-6149-262C-00000000FB01}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.729{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1097EEF76CC7EFF92330A56E8DE190B,SHA256=A9E60D787C329C3BC6E778B9126EB0A26E96AB91611F39D235DFA50EB17F495A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263475Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:55.081{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46A7F4F2140DEA07D9A226324DA7AD8,SHA256=0971E43EDFB49836F7589064161345CE036A01ABE922FAB76DCC4A8C3E99A31E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.323{5097E253-95AB-6149-252C-00000000FB01}75687916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.136{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95AB-6149-252C-00000000FB01}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.136{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-95AB-6149-252C-00000000FB01}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.136{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95AB-6149-252C-00000000FB01}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.136{5097E253-95AB-6149-252C-00000000FB01}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:56.730{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8D9B577C0A22A63BE9E61CED2D3DF4,SHA256=7415970FE4FCFBC09B1DBE4BDA1D1D2812B2A646986A1A578C6147B77555FA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263476Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:56.081{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA710F7C9748CFC10B43F19E2164C038,SHA256=9AFC0C09CB49B5659182E3951C903FE19177141AC787E918EAE5BC243FC9ABA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:54.431{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64321-false10.0.1.12-8000- 23542300x8000000000000000301551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:57.761{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E33720B9F8DAA088D7DFC4BA584428F,SHA256=2401EED555CFBCB86EA40F659DA2C9852C6F0D03808876AED6A5110CBECDEA0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263478Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:55.679{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263477Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:57.097{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994544E572B51AC083D03CE8650A8444,SHA256=78C8988691B6153CABCC74EF6F2ED9C5839E0E1BBA537A4859F9193566B940EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:58.778{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F61E5017851EA2B7784EC247DD081C,SHA256=5DA2B67914F31DE62E1DEAB2F04EAF151073DFFEEBF1773254539F7E21DD6D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263479Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:58.112{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A073F7FFADEAE8ED212DB96F37C07C40,SHA256=191241E6CBBB3666207CA00634F21F3309A9DE6F5CFE5DC0464550F6FDCB7F9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.963{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64322-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000301552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:55.963{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64322-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 10341000x8000000000000000301564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:59.913{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95AF-6149-272C-00000000FB01}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:59.913{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:59.913{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:59.913{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:59.913{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:59.913{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-95AF-6149-272C-00000000FB01}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:59.913{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95AF-6149-272C-00000000FB01}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:59.914{5097E253-95AF-6149-272C-00000000FB01}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:59.788{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26862FCC9444FB38487FBF3441D7757C,SHA256=8848AC510CE3B5F4A72E651B0342A987138B119AE46CD6DC12B7D698CD3B6D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263480Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:19:59.112{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3A0EB1694F792E9943ADD1B650C837,SHA256=EA47A39C05C83C9F518EA5A5401A6B5D8091EB2511D68A752E26372144C943B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:19:59.282{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1386MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:00.806{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2C732858BEB727E3DC1A7F72185617,SHA256=9C41304AFD68D2FA85EFFDE1551C0F5481A544410C0E907F314555D8086E1F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263481Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:00.128{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2422B42A73DD65BA25FF935ADB6C96,SHA256=30F25660DCFD010E3C0DB95483C6E2C8428B31A2F30468FC365C337528C22F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:00.289{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1387MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:01.821{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6518F1D64416F14CE7A921745B45E83A,SHA256=BA6AE5D140651D77D933229100B4461CDA473DB074A44E19C9B694D20828AFAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263482Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:01.144{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C750FD5AA990D3D8EA8BD02AB891B728,SHA256=16D28AB984512559BD61F80C1BAD9F2CAA3CF9CF809E70F178BB85A9A580CE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:02.853{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E96235AE61A3201D0840B1E34A61F87,SHA256=AE93276259B174B31A084E2F7C4FED528FBFA3CCABDA8767DE6BC38A4AEB1725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263483Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:02.144{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BE12844CCDB92F2F01EF5E8E067457,SHA256=0D81D29934C8C36A88D08BFA01999E17D466F08D250B639B515150B1D18F3831,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:00.461{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64323-false10.0.1.12-8000- 23542300x8000000000000000301570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:03.853{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2865DB7781853ED008A0839032B6E82,SHA256=9F3B8DFA06DFFFEE2559C02C679EA92405AA920FBC6FE16B04633655B57582D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263486Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:01.679{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263485Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:03.315{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DCD035D4F5F66BC4DFFD444F2DB7B982,SHA256=20429B20764826BE21E1E21B5123A6CC134C1F5F1060D60ECB72713BAA842401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263484Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:03.159{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F6137913FC7581C5F3CA79D478E94F,SHA256=A0E713EBAECE47C0B3B267D1CAF7F4A6D8B1143002EDA5886F210E85E49A7829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:04.900{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB36E9193F5E7959BF29C114C2F3525D,SHA256=D28A7FCE2639CBF076FB7D49B71D71DABDC4D6A98C87D8318491886698997B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263487Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:04.173{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFE64BDB6AD97A95A7548BC1B302137,SHA256=22F8893A9447A53B7727222A80D901C032B1E29CC12AD1A4EE794E8F6B6B5CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:05.900{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8E1E92F9AB906405349047E698BE81,SHA256=E5970E9E4B990F5924936BF6CFE48C9A771A13B0995D74068AD1D28EB63E8A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263488Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:05.189{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17A87E75367443C177686BF7C3E5D53,SHA256=1C7B63C20BCA7D129271DC148BB08A525EE0A1FE9A63FC6ACB343C743BE06385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:06.931{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57FE61A92C0A434EBC4FA1B11E4F7C7,SHA256=B14C7E6FDA0C1BD535864C326A624E19759F7F63E5C4933C4C8E87971CDCFE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263490Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:06.442{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1378MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263489Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:06.190{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FF0480BCA6BC1A55DD335C2B221F0C,SHA256=BD7B66CD96BA49AE4329472F7F26C6F357D6A4CC40F0B67107929EFBE0D69DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:07.947{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95400F9DF85E9E08B61DAA3FEF3D4E18,SHA256=B7D7A042BF1A0079B0CE914DEA49370D4B9AEC4AA7AAC0E598463229DF414784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263492Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:07.456{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1379MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263491Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:07.204{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA38EFFCA72A23D420EFCEEE53DC2A1,SHA256=5450E9428EE89159ADD0028EDC32B4018F23917EDD74BFA7533B02D14CCF1565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:08.947{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D425B9D37379042C1BC65199287559,SHA256=B6EAC1360C18134B3D5273CB639EDA3D202EA9CEB7EC3032BB2EAA5B7F7DCF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263493Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:08.220{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A33577F0DD49EFDC9646D9D70E2AE24,SHA256=CAA2A293F5ED677BDB297A178AB42ADAC8B6DC63DC84219F5D563AFCDC75ED1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:06.398{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64324-false10.0.1.12-8000- 23542300x8000000000000000301577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:09.962{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370F10B4664675C92A37549474337803,SHA256=E78C4A7E14C262C60BCE9622ACE3D4ED6DA04F8B8F35D4AE5E2155E241A01F33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263495Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:07.693{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263494Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:09.236{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748027BE5F38B6C9334FB023AC838BB7,SHA256=A4D49C205E5820E95972FCCCA16CF5C4A62009B447B8F1A83BEA8DCF7B253775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:10.962{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E9F9C81D7F9D38B10D84473E2EC20D,SHA256=29C3C2FE65719569BD883FE18AC219CDCE0774263A0F7B5EE109D8419F2AEA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263496Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:10.251{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20199D1A60F6676F3877A46778882BB6,SHA256=826E222C731EBB687E7CAF4B45521ADA20933885A17251871B01635B8D2302B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:11.978{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DA2DADA389A11B00138361A1D2E0F3,SHA256=0389A26BC3083D34C6331759DC036FA6766F5AB2F8D80D873C4AD7823CCF21BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263497Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:11.267{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BF3B63BC907DAD78CF26F74CE83E32,SHA256=14370E1EC051B72DC4B91D8F9F744FA86E8EC6A208381087BF1ED64518576A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263498Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:12.283{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CAFF27CE7945CB1BD0DD7D0FA32AD9,SHA256=E099C43CBC14C75D7B4FBBCD1498498C295396CF61D2924BA92704ED4F30D830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263499Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:13.298{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350F2818D8E1E4CF33D8CE2DA9561A1E,SHA256=BC1233B9277F71A6B97AF05CA35C6E4916A27CD5B008D1D591FF8C0DDD59FED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:11.508{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64325-false10.0.1.12-8000- 23542300x8000000000000000301580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:13.025{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692C93798C6762032ED5BE3ED6BD2ACB,SHA256=F46030F4647EAFBB2EF497CAC0A57846EBC89A225E3D713D6368AC311CB909B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263500Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:14.314{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D50F3B696D7B8122A78F851BFD92249,SHA256=77A990B2339F5950431A0B3A58FEC3B4307676EE8C81FCD606BBF3AE4812B0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:14.040{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DBABB9161183E7FBB06492A018B780,SHA256=DCF7BD8ED69EA74FDA28746025BD1B01E3D288044301E74E01251264C3D00C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263501Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:15.314{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02652C348D003D606F6EC0939F8EC8B,SHA256=F9293746BC1A38F8D79151958EDF5EFB49F424833AD50F6A5E48658B18F68C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:15.134{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A51C091D42B75689F3DC4430EE6B4A5,SHA256=818115B026643B7C57E3DDF88841975BBD1B3E508070112FA39C09D6DD5CA115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:15.134{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=912BA9A29E1508CE0131DC5B573182EE,SHA256=80DFC1B992DD89A1DCEA6A20E73A42AA2EC9740E640C6E3C4047C4C86A6FC7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:15.134{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCC41E569A6DE70EF58B227D09A1FDF,SHA256=E517DF3F64FAF7EDD29ACCD279D1BB3273CD05184BEE76A5780925490538FF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263503Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:16.329{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9987E5C150E898C3E46635E1DBF693,SHA256=C32059B00D1B30B0AF5724A215EC128C9721491D9DA54E8F15144A46D7EFF783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:16.275{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D062F63A780797EF15F1121E805D6C,SHA256=37CEF16893E67CFF27B0821739C3B75C9420EAA701720D6E98FC10B1D436CBA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263502Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:13.615{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000301586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:15.993{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A51C091D42B75689F3DC4430EE6B4A5,SHA256=818115B026643B7C57E3DDF88841975BBD1B3E508070112FA39C09D6DD5CA115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263504Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:17.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9FC2ACA943F426893BBB47B6B11ED2,SHA256=5318D087DBA16F7079EBCC0DB237223A8B1167A789D848A922F56B345F153487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:17.290{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76000FFBD612C559AE2DE91FA988E46E,SHA256=5134917F474D712E51E05CB4BBE7A17D2CD37DA63E10501281CB9CB2FF3B22FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:18.290{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEFB75B8534DD00CD9E703B802BCD00,SHA256=12890D3F4DD1A3AC6D65009A14138FEE4201B556A477C2AD96D381CE0A2E73FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263505Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:18.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CDCA737E94A19BE01C7695253D26B2,SHA256=84E39BE774D510D1EC77D34CFD4E3686A278F5DFAC4023B066E0AEC427A76BD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:17.383{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64326-false10.0.1.12-8000- 23542300x8000000000000000301590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:19.337{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D72DBDFBE49DD9B2974A9D64330A36,SHA256=543C43FDED6237A0129EA532CC726DC99ED43B19B539742788E781FCEAA944F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263506Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:19.361{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E35BC8B708FD7454B31B42D33D9C62B,SHA256=1ECE645A359E50BB3DD5AEA88197DDB2432D46078D15C3324CEAAFC3121CCA19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263521Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.517{C189DCE5-95C4-6149-9C27-00000000FC01}15963108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000263520Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.376{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79C4BC6D82B99704C786B76A7F2A128,SHA256=7BFDF909FEC6C1D7E305DFED8326E1132C313AEF54DBF8061C8C76429E5FEEA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:20.353{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29327C36DB14FE3E4D71FA27C21EB32,SHA256=BEF1A239C76102C1B96F7E4E58B22320EE754713AE4A0DFB47864E4FF57767CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263519Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-95C4-6149-9C27-00000000FC01}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263518Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263517Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263516Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263515Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263514Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263513Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263512Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263511Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263510Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263509Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-95C4-6149-9C27-00000000FC01}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263508Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.329{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-95C4-6149-9C27-00000000FC01}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263507Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:20.330{C189DCE5-95C4-6149-9C27-00000000FC01}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000263552Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-95C5-6149-9E27-00000000FC01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263551Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263550Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263549Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263548Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263547Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263546Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263545Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263544Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263543Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263542Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-95C5-6149-9E27-00000000FC01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263541Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.673{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-95C5-6149-9E27-00000000FC01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263540Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.674{C189DCE5-95C5-6149-9E27-00000000FC01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263539Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.376{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E070A5A7655C43C6569074EAE751110,SHA256=88C1655D3F3FB5D290E72707EE2410DFDD4472D46ED7CEE0E9AE55194FB184C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263538Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:19.552{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000301594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:21.634{5097E253-483D-6148-1400-00000000FB01}10367716C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:21.353{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B86F4A46F8704D8BE8B02EBAE7BCD3,SHA256=364DFD1C6A65EA03E06351E1F06A308A1BC89C37760CA577913E36132E9C3EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263537Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.330{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=249B99F8483D916647A83558A740C137,SHA256=937E1AEFEBD55FA4D581F0792D02FB9270344179BAA916499C40B32F4CD3EB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263536Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.330{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB88FAE458C3983570CCE1761E5A7023,SHA256=E9DD1C76A11C80BD2CABAFFE715F1F2BFE50275FC7599DC2AC5533D8AD93EBDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263535Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.158{C189DCE5-95C5-6149-9D27-00000000FC01}1744716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263534Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-95C5-6149-9D27-00000000FC01}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263533Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263532Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263531Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263530Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263529Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263528Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263527Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263526Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263525Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263524Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-95C5-6149-9D27-00000000FC01}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263523Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.001{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-95C5-6149-9D27-00000000FC01}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263522Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:21.002{C189DCE5-95C5-6149-9D27-00000000FC01}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.978{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.978{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.978{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.978{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.868{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.868{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.868{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.853{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.853{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-95C6-6149-282C-00000000FB01}5840C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.853{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-95C6-6149-282C-00000000FB01}5840C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520|C:\Windows\System32\SHELL32.dll+17999e|C:\Windows\System32\SHELL32.dll+736c1|C:\Windows\System32\SHELL32.dll+765a6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000301596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.802{5097E253-95C6-6149-282C-00000000FB01}5840C:\Program Files\Notepad++\notepad++.exe8.14Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=8D93FF22077355875C7BC59CEBE98B4F,SHA256=A345288CDF2B0A43B64E0C3264FC2839A76C98835CAC1A1920D68E21DD444EB3,IMPHASH=D3A8B6DC8BC0179C654D96C4AD61A9D1{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000301595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.369{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081D580B031A97C58860784455751DB6,SHA256=FF62FEF0E08C1061E59FC9654E12B59A766798AE242EF1B905E4ADC40ABA3B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263567Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.704{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=249B99F8483D916647A83558A740C137,SHA256=937E1AEFEBD55FA4D581F0792D02FB9270344179BAA916499C40B32F4CD3EB84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263566Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-95C6-6149-9F27-00000000FC01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263565Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263564Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263563Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263562Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263561Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263560Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263559Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263558Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263557Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263556Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-95C6-6149-9F27-00000000FC01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263555Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.564{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-95C6-6149-9F27-00000000FC01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263554Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.565{C189DCE5-95C6-6149-9F27-00000000FC01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263553Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:22.392{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72ECF2E98C7BEC20BCB55FD9C55236D3,SHA256=D36F71069FD96BE9351E631A1070DE1B7EFEAAE28E2963D7AD06524589E02D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:23.400{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD24006D513FC52CB995DCBA7569511,SHA256=FFFDBCD030E2CCB29DF1B69257EEB2C6235151D7DE06A07300D1BB4A55E4BDB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263568Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:23.392{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A913245404610BD0F0F9BEB5189F59,SHA256=ED86E2F72BDBC22CE13BCD9947FA48635B691A1BFC7C6625C1857465CA4A6CC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:23.103{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:23.103{5097E253-8792-6149-AA29-00000000FB01}48166768C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:23.103{5097E253-8792-6149-AA29-00000000FB01}48166768C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:23.103{5097E253-8792-6149-AA29-00000000FB01}48166768C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263583Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.552{C189DCE5-95C8-6149-A027-00000000FC01}30481616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263582Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-95C8-6149-A027-00000000FC01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263581Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263580Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263579Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263578Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263577Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263576Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263575Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263574Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263573Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263572Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-95C8-6149-A027-00000000FC01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263571Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.411{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-95C8-6149-A027-00000000FC01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263570Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.412{C189DCE5-95C8-6149-A027-00000000FC01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263569Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:24.396{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B6EB3535CFB853851A6008D04AA5BD,SHA256=D3A65018ED8877EB906BF7D46A43AE56BD21BEA7F4E2E0CF020B437E1015520C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:22.386{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64327-false10.0.1.12-8000- 23542300x8000000000000000301612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:24.403{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2127ABD077F39AA4AFD18F8EBAA45EC3,SHA256=1B8A0194E40E40D2746DA1D7A0ED87B96A4835F42AF9AAEF3DCA6DD33BE6AB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263599Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.771{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6AC11D6CD59715586666CC0D198D5E,SHA256=03997182A58AE64EA0ED32B21CCE9FDB0C8CC3A01F9697EE85938A232F7341F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263598Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.411{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F01841EB3AF12BFCC39212C0548E5B4,SHA256=BAA0480967B865CC824DAE37705E0DC6134064398711D22F83FFB54F0AF958A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:25.419{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF1F931E0B0DE497B6B446422099AD7,SHA256=5DE2A049331B3D1ECEDC68C21980798E59D3747A633B259AA5965E8496B1DD8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263597Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.239{C189DCE5-95C9-6149-A127-00000000FC01}24123376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263596Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-95C9-6149-A127-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263595Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263594Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263593Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263592Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263591Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263590Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263589Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263588Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263587Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263586Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-95C9-6149-A127-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263585Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.083{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-95C9-6149-A127-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263584Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.084{C189DCE5-95C9-6149-A127-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:26.435{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D065A597DC579B57D69C616FFEA0AF25,SHA256=E729DFB66C39B79C0B5DC278A432C0E636A4CEFE36D260774BD69475B4181DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263613Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.427{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92316E1EE9A6422BB1A792F49B88A8E9,SHA256=F5E63172CB98F61FEF190827490182043E3C8EFF9AA3EC3CFF7C6D92A949C35C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263612Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-95CA-6149-A227-00000000FC01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263611Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263610Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263609Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263608Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263607Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263606Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263605Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263604Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263603Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263602Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-95CA-6149-A227-00000000FC01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263601Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.333{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-95CA-6149-A227-00000000FC01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263600Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:26.334{C189DCE5-95CA-6149-A227-00000000FC01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:27.435{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3FFB01BD2E47DCDF4269136986CB3D,SHA256=4BCF9458B426DA9CFF4F92E2F964E147F6B9197B11ECCBAC765D9027DBEB7059,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263616Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:25.540{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263615Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:27.427{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E9C26020992B52C21A2DF7472B88335,SHA256=279564CE14BDB7B25E2CE4C154E4E1C9F55B72B6F61B7E5B6E4BEA80EF20C230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263614Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:27.427{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F0FEAED76EA8D8C575244EBFF3289C,SHA256=497B5834C219F19C4EC7FAD3A83E768BD41425F08BE91F0C71D8730AB6011EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263617Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:28.443{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2F657A70F1418AD0F54DB50527E76C,SHA256=DC4635400C64A713FA3B5EBC0354B117D4DE43D6370C8A7965DFE6BBC754D9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:28.700{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AD08DE54B64678DD1DDA313D6AA44CAC,SHA256=B35821CF83652AA15924A3320D819A9B16E7669CE51CD6490CCECD6B404FFBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:28.450{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07342D99476D2024DC8BB27F20961DD8,SHA256=863022F50308FC651EA4DE4F912CA279DB5AE1F9CAA91BDFE5F7ADCBEEAA5EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263618Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:29.458{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B573399C479CA9DDFDEF9475DA0482,SHA256=C464735981C1FA54608F66BB6DC992B4EA929240C168C9C6075665FE3D0F9CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:29.497{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EB579F14317E194A015ACF3A539A9A,SHA256=0F8949F5CF5B4B1B590EF96102A28503FFB32B3D49DDC7FF9F94BF6A599DED40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:30.513{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74AF07E18333CDF7821567ED437ED000,SHA256=47AAC29C6EE0947B6150545F8AFE170A45B28FDE9994901DBF0075A9985C39C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263619Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:30.458{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2505427F8222060FAEFFEF57E260C8F8,SHA256=51354C25BABCB0E45199589E1B71D1F31D1BA24BEC4D5AA03EC9E314AA293ED0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:27.527{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64328-false10.0.1.12-8000- 23542300x8000000000000000301622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:31.528{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A127B0FCF6C6F5C8B4E4A3A601D48C4,SHA256=DDA9541852B4DCC0A67D53ADB257095FC60D19A41EE2FCFBDD1ED971588D0B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263620Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:31.474{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1485A6DC95AB346BDA30987D95871D,SHA256=E025DB7702C2FDF836894334C3CD9E94B6CF05E0585B1D279C83C4877FFF8751,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263622Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:30.634{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263621Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:32.490{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6DADB0F0A7FF225613A06D1B9B153A,SHA256=C72A4719F6A6EC7BB4290A778653D4AE8766110F1D193C95A706501E25099C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:32.528{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C322E4E85B54F958C6E26A2D012C65,SHA256=6F731E6C2AFF6B31F55AA31ABC229D1A43AA69925A0B2503F7AE98C68842B45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263623Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:33.521{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349FB7C88E8F790090B596C61A29F92E,SHA256=057DF1F719E3504A8B94C8FC83F06C98A60B11F9E4AE1F75C19AB461EDEA552A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:33.544{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11DB309E274B48CDA761767D48F3B4B,SHA256=6B144510B23917F3D598C4965C1D78AB50B566EFE056BF31E2CC868F67EFF471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:34.544{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F4DEBFBEBDF7AE43369F194F0CB889,SHA256=666C507123725AE4F4483056A3F8B208D69711EAD84227B185650C1CB3A45784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263624Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:34.552{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA12676D7DA49BB7FF19798D47ACF7C,SHA256=E6A817FB653C64F23ACAFEA0C2726F845E501BEB8DEFB9D02835510CA9F4CABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:35.575{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52D654D3967C65FB0E1513EE74380D3,SHA256=0923F1A6350A7E35C8F228BF27BB728084E2C2050DDA7B7B7173F46465E63C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263625Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:35.568{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDED146FA7FF71B141A7DB99BB0F1D0,SHA256=89A22F0722D25A229D8151C5E59D10203AF12B7DF6C07E323206EFE66A1D4D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:36.700{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:36.607{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686999025965BBAEB19A6685E7E2A576,SHA256=C548CF282D7101CFEF205E66CC45EED70DB0101CC127C628410A2837DA430BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263627Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:36.583{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263626Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:36.568{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A5A14FF9E753A96A0E3DCB40D3C5D5,SHA256=A15F87D4AA868A9FC79A83D4B15D9C939ACAA585206CDB3C7788D7FA0E3D74BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:33.543{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64329-false10.0.1.12-8000- 23542300x8000000000000000263628Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:37.630{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC7F67BFC4ACA3ACF94BFE639F96D6B,SHA256=98C814B7CE081206E83FBCA26E656121239DE21A45ECA17F9AC37FF8C1273D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:37.622{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2245E64FDC4C77D22589897292C31E08,SHA256=FA23882179BB6932711FFDC55065328533AA3077637C656464729F004B1D6AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263631Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:38.646{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B105FD42ED6CAA4B9F1050F6B46A8FC1,SHA256=523D1694B426069235E722D5A579A2348304F90416105AA8BDD45DBED386FD43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:38.653{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF64A76F728ECD34FD81997A5355600,SHA256=E29EB38D0FF91924B6C3F445CDB8B614F1385A3654957FA07EDFD37BBFCFCE04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263630Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:36.040{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000263629Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:35.634{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000301631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:36.012{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64330-false10.0.1.12-8089- 23542300x8000000000000000301633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:39.653{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F205421B956C5244CD1AE91D9A7BBC8A,SHA256=A3FBB7BE265F4B9C4359EC21CD0B17CDF686E837CC4268609D5C88538F3102BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263632Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:39.708{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD21EADED5C99D22175A36E9CDA76C2F,SHA256=F297B742A3F380373AB0C33ED66F2538F919F697991F75DC5E031D972B5220FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:40.685{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC4BD0687CD7E3AB30CC56A9F0505D6,SHA256=6C95684BD29447F6CAD98160C21D798A50573EEDC39A05AC3CC626FA43F0CD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263633Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:40.739{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1E95F15894D6D834E56121207A4FF6,SHA256=B028597FEBF292687E9B80A566D2820A6E4FEF0DBC272BED14C6547E22B70214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263634Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:41.755{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91B12C4D0DC47B1DEA65D44120049B6,SHA256=FB4A27CF3ABB3F97E35278C4ACE64D2C492264CECD06529BAADABC28726ED54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:41.685{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BFF53F3D4173E9CFF4C515BC23C9E1,SHA256=8F1CA646956BEC0C4FF3695622C6D41CC8849BD5BECB397D9E58C899477C7741,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:39.386{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64331-false10.0.1.12-8000- 23542300x8000000000000000263635Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:42.771{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5D451C4C2225AC44F01CAD1CF97A8A,SHA256=A221E5D15B57846DC02006ED0FACF55C70C5B00568F15589F03A8904C9464E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:42.700{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30743F09C7ED39430235CD69DA99F62,SHA256=4FE96ACABFDA913CAADF0A3625EF13580FA748D60AE0FB888A20ED0B76CAE83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:43.747{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBCA426E0FAE2D6C158C5E49A8D7533,SHA256=7F2C4A59F7C47A5600F9AF2625ACF90A26623DACFDF3B3D687C1FF854B540D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263637Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:43.786{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CB078E35630DD3E4D2CFBDE2C6F21E,SHA256=6742D88FE84B27940728DA6F354030B3D1788BA628E2FB510B30FE2987ABC2D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263636Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:41.634{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000301640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:44.752{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F932B9C87B305CB66D3399769A8BC5,SHA256=BFCB8E39C1A0588CABE373DC88476E618066709A43D63234E0A5DCEAED8A0581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263638Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:44.791{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21333F013805E12F7ECC17D4F19EAC9,SHA256=159D2F4BE6B0DFAC1A0F5F1344BC5FC16ADE25FC785CD89AF80BD6B61B40BCD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:44.299{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=7F81CB20C46F95DBB707C314DB506785,SHA256=0641837251D0CB613661EF8C91E85388A5FF5150A36A77EC843D3EBBAC886839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263639Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:45.807{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58724FBD8EB8AC80F1C85169F0907328,SHA256=B41FD83523B66F8B2F08BFA815D3077F81A6A93735E721D253F1D4DF9BDEA674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:45.768{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE4473683E349A8E8796223DBE65DD3,SHA256=00D783B99D72D5D085BC146D8D6C46C8C3F855BE0BF6A8AE932A934AF29D27B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263640Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:46.854{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E370860EA72226444DD75B8470376BB,SHA256=7F4DE5FCFD78D162886EDD31A9022FD8BE0B3776B055C2FC26D23A2C033CB311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:46.783{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA767992C6763E406E9791677954429B,SHA256=F5F848272C2C192EF781B64EBE11AB22F5E1A22832AC8AFC0D546BB7D5B60D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263641Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:47.869{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15351C8455A4ACFFDE014FC279255700,SHA256=F40E1F76611BF6D54D42AF48C888E243B7D2AA053650B18AD6DB8FB128156153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:47.815{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE5BA438F5939574AB0B8BFAA100B66,SHA256=B5E4F4218C8447DE95C53CC919039C9905489B52901E77C8727384075FFF291D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:45.407{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64332-false10.0.1.12-8000- 23542300x8000000000000000301645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:48.846{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D8469CE9EBB838BA0109A83F9E9001,SHA256=79CF7DC0520C57CAA26A8C0251C7C1D49FB8C9A41C7F3322F427B30E0446B8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263643Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:48.901{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C1F5C0426A42D769E0BC17D3B78C48,SHA256=0E4FB37FD64F61DA89B9F64812C46ECEACE165DE9B9753AC645101EE07464A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263642Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:46.670{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000301646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:49.893{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2489594D35B11DEF8FB948943AB41A4E,SHA256=40E10AA98C0AC3D0E2B7A00048F9B454A43043F741013A105CE1C21B3BEEA769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263644Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:49.932{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6271240CF5B4423B7B75606BE1C9E20,SHA256=4BC61F30585812BA940F22BC4E81C556378DFE38D9846925DB5BDCC965B41BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263645Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:50.979{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CB9B5EE199AFDD335004D863FF1A13,SHA256=96B330FFFB00FA6D1E7004547A9B8DB988546E737294539579D1114D661BC407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:50.908{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FA7E1FDA06798C8CC7ECF67796208C,SHA256=E824865D151757D04FF67DBEC1A97E17806A7188640B40698AD26021E309A8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263646Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:51.994{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA5FF891B206579232648FD60EF676F,SHA256=5F54DF4FC3BAF51088BDDC3FD8D976F9A757BD1042EFC636F22E8C142344A9E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.924{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE3FB9537E811608CEE6EDCEF7CF233,SHA256=DF0B15BCCFE7C20CEF104DA28CCE15B0E08C5B8A198CB3A44991CBCC12403D3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.424{5097E253-483D-6148-1600-00000000FB01}12921484C:\Windows\system32\svchost.exe{5097E253-95E3-6149-2A2C-00000000FB01}6496C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.424{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-95E3-6149-2A2C-00000000FB01}6496C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.424{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88C5D3F1B9E7E682872DF89EC53D0A4,SHA256=1BE6791F0894319D8AB14B469A8A317B252693F6620BC13F2DD3D8758E27539E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.408{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-95E3-6149-2A2C-00000000FB01}6496C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.408{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-95E3-6149-2A2C-00000000FB01}6496C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.408{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-95E3-6149-2A2C-00000000FB01}6496C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.408{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-95E3-6149-2A2C-00000000FB01}6496C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.393{5097E253-483D-6148-1600-00000000FB01}12921484C:\Windows\system32\svchost.exe{5097E253-95E3-6149-292C-00000000FB01}8096C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.393{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-95E3-6149-292C-00000000FB01}8096C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.393{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-95E3-6149-292C-00000000FB01}8096C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.393{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-95E3-6149-292C-00000000FB01}8096C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.377{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-95E3-6149-292C-00000000FB01}8096C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.377{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-95E3-6149-292C-00000000FB01}8096C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.361{5097E253-8791-6149-A029-00000000FB01}41846980C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000301678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.361{5097E253-8791-6149-A029-00000000FB01}41846980C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000301677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.361{5097E253-8792-6149-AA29-00000000FB01}48165268C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.361{5097E253-8792-6149-AA29-00000000FB01}48165268C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.361{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.361{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.346{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.346{5097E253-8791-6149-A029-00000000FB01}41846980C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000301671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.346{5097E253-8791-6149-A029-00000000FB01}41846980C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000301670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000301669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-8792-6149-AA29-00000000FB01}48161108C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000301667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-8792-6149-AA29-00000000FB01}48161108C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000301665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000301664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0C00-00000000FB01}8486740C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-8792-6149-AA29-00000000FB01}48164744C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.330{5097E253-8792-6149-AA29-00000000FB01}48164744C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:51.315{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-21_082044MD5=1D74F94D3C88683A8218DC0C36337A35,SHA256=C33587679ED4709143C814C273B8CC2102077D8567ACBDF1FBF429119D31037B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263647Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:52.995{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40CAD043CC54285C1187446BA592B02,SHA256=8F29C14EE6EAFA4BC2A8CBCCA0874DE750DCFFBCDD49CF479F6CB3ADDF030E38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.705{5097E253-95E4-6149-2B2C-00000000FB01}15607768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000301719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:50.563{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64333-false10.0.1.12-8000- 354300x8000000000000000301718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:50.225{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.42-57936-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 10341000x8000000000000000301717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.502{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95E4-6149-2B2C-00000000FB01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.502{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.502{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.502{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.502{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.502{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-95E4-6149-2B2C-00000000FB01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.502{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95E4-6149-2B2C-00000000FB01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.503{5097E253-95E4-6149-2B2C-00000000FB01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000301708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000301707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-8792-6149-AA29-00000000FB01}48165300C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-8792-6149-AA29-00000000FB01}48165300C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-8792-6149-AA29-00000000FB01}48168020C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-8792-6149-AA29-00000000FB01}48168020C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.111{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.096{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.096{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.096{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:52.096{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.846{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95E5-6149-2D2C-00000000FB01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.846{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.846{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.846{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.846{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.846{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-95E5-6149-2D2C-00000000FB01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.846{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95E5-6149-2D2C-00000000FB01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.847{5097E253-95E5-6149-2D2C-00000000FB01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.190{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A870E29A2FA509E262FB82AA07B7FFDB,SHA256=0A7B6A5C5903D8CAED40CA58B3172D775124FAB9787FC222FC76BA7BB1B75085,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.174{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95E5-6149-2C2C-00000000FB01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.174{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.174{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.174{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.174{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.174{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-95E5-6149-2C2C-00000000FB01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.174{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95E5-6149-2C2C-00000000FB01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:53.175{5097E253-95E5-6149-2C2C-00000000FB01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.846{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-21_082044MD5=8CA08AACA8D0B92788702C241593DDBE,SHA256=66D297466DD0686EF273A4607446C261B5CBB3E9883A8A14D4291FAD827046DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.846{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=21FA938CC70DC84AF1BE6FC4FE6ABCA0,SHA256=BF648C23AEDE6DA16160254AAE7E2536EA479E871CEBB1A481ABDDA3D812D7F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.674{5097E253-95E6-6149-2E2C-00000000FB01}54085964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.518{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95E6-6149-2E2C-00000000FB01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.518{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.518{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.518{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.518{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.518{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-95E6-6149-2E2C-00000000FB01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.518{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95E6-6149-2E2C-00000000FB01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.518{5097E253-95E6-6149-2E2C-00000000FB01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.190{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3DB795E9B81A94EA61605D2C3091AF,SHA256=33E142209FF8071DA5E622FC36BB789F3AC678CC27480774B6FFD7697A6DDE59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263649Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:52.623{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263648Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:54.010{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EBC0FA3172C6D2E1A5C203ED6BEF08,SHA256=8A7654427B2840F0966584769A5BD94F1782F5D60FC415715AB57926EA808103,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:54.002{5097E253-95E5-6149-2D2C-00000000FB01}46087088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.862{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95E7-6149-302C-00000000FB01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.862{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.862{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.862{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.862{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.862{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-95E7-6149-302C-00000000FB01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.862{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95E7-6149-302C-00000000FB01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.862{5097E253-95E7-6149-302C-00000000FB01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000301760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.377{5097E253-95E7-6149-2F2C-00000000FB01}8607208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.190{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95E7-6149-2F2C-00000000FB01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.190{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.190{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.190{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.190{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.190{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-95E7-6149-2F2C-00000000FB01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.190{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95E7-6149-2F2C-00000000FB01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.191{5097E253-95E7-6149-2F2C-00000000FB01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.190{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD363D6FCCE787176C868B862CD3CDF9,SHA256=34672C90C1E3076F2E20B990BACAFA52F43333EA7CEE2798AE723D0905161E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263650Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:55.027{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC88403B243957CE141E8E3BE300B9C5,SHA256=C202C9B5B2FE4EF7FED97A74910C63192C72F58FC21D5C697EB7EDB8D5CF90F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263655Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:54.913{C189DCE5-4A42-6148-3A00-00000000FC01}3008C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51066-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x8000000000000000263654Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:54.849{C189DCE5-4A42-6148-3A00-00000000FC01}3008C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51065-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x8000000000000000263653Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:54.812{C189DCE5-4A42-6148-3A00-00000000FC01}3008C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51064-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x8000000000000000263652Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:54.812{C189DCE5-4A42-6148-3A00-00000000FC01}3008C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51063-false169.254.169.254instance-data.eu-central-1.compute.internal80http 23542300x8000000000000000263651Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:56.067{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D44B71D5DA173FF8B32CFE89962370E,SHA256=AC9D4BF0330A3A19C8EDFEA079686534BD3B8A7FAD4207A1C2A25D905C9DC90D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:56.861{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:56.861{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:56.861{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:56.861{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000301769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:56.205{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97A2303AEF6D52B09930E474067F84D,SHA256=C33F6DF4A101D138408BB511EA1E08BBA2CEBF8432820E24BDDB7C2AA9AEC21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263656Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:57.083{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6C767965BF702B4BDFE5A0187B8205,SHA256=AD15025C4FA96C04A4C557523AD6C67CB8B375B16044CAB7E5C693DCC1AEA3BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:57.580{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:57.580{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:57.580{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:57.580{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:57.580{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:57.580{5097E253-8792-6149-A129-00000000FB01}43167728C:\Windows\system32\sihost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:57.424{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:57.424{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000301775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:57.424{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000301774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:57.221{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51849C187921744CBFA5E3260208DB5A,SHA256=1DC7A36947AC27F854C1C858FB7673C110EA5AC862323982215DF7E7AAEB3B53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.970{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64334-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000301785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:55.970{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64334-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000301784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:58.237{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969B47A23DD6643E61B4E0719D07AD52,SHA256=7979C09F313E2A8A762FBA48800CEC6C770C59EF34B4381C0A9D095044E73A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263657Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:58.177{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341BA1F9166C0EEE3FB1E6A28DB3470F,SHA256=555A810BA318A3D7F1B864CB57C42CA6149FAB056A7AF8C723C8BBF97B4C0EBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:59.908{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-95EB-6149-312C-00000000FB01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:59.908{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:59.908{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:59.908{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:59.908{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:59.908{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-95EB-6149-312C-00000000FB01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:59.908{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-95EB-6149-312C-00000000FB01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:59.909{5097E253-95EB-6149-312C-00000000FB01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000301788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:56.376{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64335-false10.0.1.12-8000- 23542300x8000000000000000301787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:20:59.299{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548A644776C5113B0CF3C280CCA9E163,SHA256=5F6E9A516646911713F0F1C43E6EF3214021C563D79E57ED0D2E8F3E63C91CD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263659Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:57.712{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263658Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:20:59.224{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1286CCAFA6F71418686227A97924898,SHA256=5995728464F6F25D4192F4E5C7D51D4622B64F579A540423044DF708FBAADAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:00.820{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1387MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:00.317{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07018732B6CE5AE301E1833538B6222A,SHA256=30C00E08653C038C07E8371394087711A666AFD34418A3B28E03B5FA9D44D3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263660Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:00.239{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23D7546DE00764B0D86B87E4E888F4D,SHA256=A6D35407ED72C6DA88E8089870CEFD108F3DB07B54CF2EEFDF865C42FD95F891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263661Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:01.270{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1215F7F4F9BD7758C0FAF1F4299DC57,SHA256=5F6C20F9E6F1C03BA8912CDE985D74BEE2F7A31E6EF116B4F8F40B41B0BBCF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:01.819{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1388MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:01.333{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EA5DC6568875714C4DFFE71B1A1AF5,SHA256=39A824F58A053D13F141FB1470B345D2DCE4034AC0910E93C4902351C7BE191C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263662Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:02.302{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72544C7695488E49CBC607F88BD54D47,SHA256=B33360DBD886232996DE883C4094FBFFC4159B9B35481369FF58C7A3358AFC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:02.344{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF5CC3DCD1D2C269BC6BE4A6E4B9B04,SHA256=398ECE84DFFF6340383EF453E8DE9D0E33F90996A0366DAAD1AC1E7EB9EFB0B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:01.527{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64336-false10.0.1.12-8000- 23542300x8000000000000000301802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:03.360{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EDD516F8AE28A97846A22E6D157CC5,SHA256=CE309D247B4F9CA9C4275A557F6E13FD043C29FE979B93FCDC2D8EF764363D86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263667Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:01.930{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com14365-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000263666Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:03.739{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55107984E88F78B24A78B3D0B1C51CFB,SHA256=C704BDF4135F670375DE9E6010F6E221BC4BE81D124549E3C4A44DF218958FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263665Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:03.739{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5046D2EEC586D926F0347B83DDBC5FF0,SHA256=2418D9313EE2AF18E64D9032CA9ACDFCE06F3017826D334732CF3362A12079F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263664Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:03.333{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635786D7D87B1DA257AAC9B424469F5C,SHA256=43CF26B1A358B00AF6410C335F88F903F88C310671BE01FE1ABFEF957F06DB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263663Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:03.317{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BC65772DAB0223E52C3CDA3EE6262896,SHA256=71068E3525F074C7DA0179D65DC5C29C7C8BFA74660A7D1D1B53B252D26294A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:02.071{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51068-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000301804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:04.375{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61F4381BAC5AC68B31C9038A30812AE,SHA256=EB1A541CC453213A53A194982FCE7C6ED64A8E0545CCAC57DC3BA7AAB42CA83B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263669Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:02.209{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51068-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000263668Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:04.383{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49741DF1A44B926FDE86D80711151CB,SHA256=DF998C58EA477E50A9370BE880F83D9E1ED3E46F9F24338D964EF8736E2C7B33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263671Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:03.527{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263670Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:05.414{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6606AEB482BCAC431F48247D4FE8F34,SHA256=4DAC491D80B7DCD46DF707874106897B7899D691F8AE98A6F6BD66F1ABA24468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:05.391{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A77CAAF2852AF75E7AEC98FB50EF06,SHA256=63EED6C7F40C8A88A72E45888923C7ED8CFA45D3C9119711521B76CDF54EB639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:05.344{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=A0A3CAB48C785FFFBC562E17FDA04DAA,SHA256=9756CFC5AD16CD6EBDD85EA282EB3D7BEEA688870B843C1684FB13E27B8DAED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263672Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:06.461{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD7B80B5BE39E05DAE7504D918B9FDD,SHA256=90F530098DFFDC2289CF8AEA56A0FFB71344E840BD63318884BA779A9B3D19AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:06.906{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-21_082105MD5=58F22C2F8228CC08DBA9EAA599E34F1F,SHA256=D0F2F0376CA76E08C94EC93DCD1666B04D22662514A8A2EA4A1FB6C3766B6FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:06.906{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=8CA08AACA8D0B92788702C241593DDBE,SHA256=66D297466DD0686EF273A4607446C261B5CBB3E9883A8A14D4291FAD827046DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:06.422{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7D1BB0031073D294DD3159615E3BBD,SHA256=050818B6C461A0A303F7CD8D7197F783F707477EFE09393D9EDF240D9F9B4023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263674Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:07.979{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1379MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263673Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:07.492{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4743BB011DEDE806DA6A483C4A41B664,SHA256=3C553C8FF4B318C22EC0D140C67FF0422A953C478B701A1FAA735ECC036E4ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:07.422{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1510980BA42A7A630697EC0D672CDC12,SHA256=30B7C030C500704804D2317C09AD09A9EA6FDCABA69C776A5B5D4B8A1CABC5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:08.453{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C47413E1A2E9002C123A034AE10D4B,SHA256=739713354247F908E3F91552DD949B2AD22E740553451050277F2B840D33B36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263676Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:08.978{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1380MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263675Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:08.524{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8A3C38E0ACFE507018504FB2CDE378,SHA256=28C574EAA358C1B063359545F20B0D9AFFFD8323E020D2A036A0695B348F9F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263677Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:09.540{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C12BD1A3566E04CAFE47482DE416850,SHA256=AAE1B293CB6C9C89CFC4EDD6A1BEC81487AB959581679F7C649C6CEB4E084180,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:07.436{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64337-false10.0.1.12-8000- 23542300x8000000000000000301813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:09.453{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13497187D728D6DB31F0488777AE6408,SHA256=DF99DCD3060E0A9B532B185FD0EA99D71221661B3005FF69C1D550E15C0F6CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263678Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:10.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F18E7F1E5DC345420EA1BCD1DD754D9,SHA256=90C92738DCA62CD04A6D89C12836B5809E70FFCD753042BB1DE224E1EF39E5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:10.469{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BD0412914FF6AE53C3ADCD2CF43B0E,SHA256=40EAC30FE06BE3A425A3DD09E94E7CE467A33E06C857456DF1058471385952C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263680Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:11.571{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B8AF8FE1991D5F2BA058FF70606AF7,SHA256=5BDD84468F59AD915A73EA0FCDA8D046AEBDBFD0DEB2F554B98D3362BB64100B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:11.469{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40DE2014085A6D4A289EAC5252187A1,SHA256=A95581096954D5EDBF95501A843A734202AAA3888C2D894682F86537B82E7B90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263679Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:08.573{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263681Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:12.587{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA87E8617ADAF8CD3A2C26FCFF93BAC,SHA256=2B95258442532703D69F97889BB84A6517008E79A7A6155B4B8569F4DA4E8F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:12.485{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0A7EEDB7DE5F40B47F37C84CEECFD0,SHA256=66BC049ACABA3FDB6C69DD74853A50411313C01354A3E765703ABDF047050D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:12.360{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=2BF541D2994C8C65241DF9E294AB9488,SHA256=4F6692E7586FB3FF3B86746B9B7007953E1E48E2C68C26CB34C2BFF4123FAC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263682Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:13.634{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D31CC85EA15C164F0D42DD06C049F6A,SHA256=5B3D1E3E00E96A328399B1686D8CADA004AC54754280C0B60F64530ED6B3D74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:13.485{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108013B61556EF8720C898090FF13437,SHA256=C902C2974312CC79C97CBA63DB961B1CCBB5AF8EAF6FF2F8C65B4F0DE93203CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263683Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:14.681{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3916ED13B02ED39D863712E6B9D1B74,SHA256=5F163E810E2C2AFB438B8D3663907E3E18B9E33E856A9E3FC772B5A17D2D4377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:14.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77D88E42E2FA4B6D5A06C5D4804227A,SHA256=CA542C088B070C13373535840ECBD6D366A7683628D36FBAA05372BEAC39BF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263684Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:15.696{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B04EA2B7B7A5343F87E6E0AB8584FC4,SHA256=8F317865F2F2BA02924A10B1B58FA16EC90146C1F58B27D411DA7BE71DF90B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:15.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FFF9B25E8A3CA981079A3EDBF83DEB,SHA256=CF108CF0AE068F420D62DBCEE06468916813E9D48FF185F7669B2E880B5147DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263686Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:16.712{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38148A9337DD269F563F7FF3F8CFC5BA,SHA256=5306E5979058DEA9FA7D22DEE3A0006A253C783350289763AD21957D75217304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:16.703{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-21_082112MD5=BC3F0363732A379397E0A678B8DEAAB4,SHA256=4177BCD1CF54D4F611D9604ABD483EDBB4383461DCD90469B1043737FAD5B9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:16.688{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=FA9C3DA7DD4750D4DFE4502E1CC6E580,SHA256=26D760BCDC657DF7C2F67B42F6CE7690E8FEAA24B7C471A798BFCE921EDA0738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:16.531{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE20BE01B1BF0C8B925143D149C7B7DB,SHA256=643F21000C9A22140816A40D8FE464C410754CA3D7DD113521A665E3A504956D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263685Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:14.590{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000301822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:13.467{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64338-false10.0.1.12-8000- 23542300x8000000000000000263687Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:17.775{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E55036AAF26AB6E1CC4319558DE2DE,SHA256=09B57EBF162BFCFEE234AC311ED78DDC490664EDFB35A2EE3968B6AFE7932849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:17.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59B60C26A26026AEB14336EE1ABC054,SHA256=CEFAFDEBDEA43EF12C22622E791B96F3C8F2FF9BD721CB15A0385D542EF48162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263688Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:18.791{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DF731A5D95B54715FA019CE3B76862,SHA256=03C162A0227F51191315D48D21A8A5BF05A3CFD337BEDA5089C6B1ACAFCEF37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:18.578{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF42EF4066AF63292F6EA12173119FD,SHA256=60145613947DBA36100D4470709551924DE63804DCE37057652599D57E6D69AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263689Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:19.822{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71DB3B4AA1372E2EA88C2B9928CA32F,SHA256=71DDBC5BDC17D1568E09F333D66EEABD2A631D74C14CE9EBC9A38820FA76D679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:19.610{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3527D1C9A8E7E8F7116CE42C3A8B8CB6,SHA256=030AEC298FFF4A65F6ED231CB6CB807FDEBEDFB9A409259018DAFAA9E4500C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263704Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.837{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EFDD6B67D53EAA5DA2905D06EF6CB9,SHA256=012E4B9FA8C74502FBC2A9B8D012882C116E210C73E2054809022195FD31E41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:20.625{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5412435BC4989F56721796A74C7E6248,SHA256=7436E11DBC82E00E47055257FEDE618A62E404E1700A4A5FC7D19F586EC716B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263703Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.478{C189DCE5-9600-6149-A327-00000000FC01}3728676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263702Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9600-6149-A327-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263701Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263700Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263699Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263698Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263697Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263696Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263695Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263694Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263693Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263692Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9600-6149-A327-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263691Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9600-6149-A327-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263690Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.322{C189DCE5-9600-6149-A327-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:21.641{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D0F6D247A7E486404070CC8F47EA11,SHA256=9AC61F52AEFCCF0B3C71B29F68EC1D22F568627F77E7B1935C550BC82F8E62C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263732Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9601-6149-A527-00000000FC01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263731Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263730Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263729Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263728Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263727Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263726Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263725Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263724Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263723Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263722Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9601-6149-A527-00000000FC01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263721Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.665{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9601-6149-A527-00000000FC01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263720Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.666{C189DCE5-9601-6149-A527-00000000FC01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263719Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.384{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9489942B08C5B80C1838848057A4CE57,SHA256=265A8CE4F799CCA6D056293BECCECE4A6149D2F7E7752069191E3A7BB3F9F0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263718Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:21.384{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55107984E88F78B24A78B3D0B1C51CFB,SHA256=C704BDF4135F670375DE9E6010F6E221BC4BE81D124549E3C4A44DF218958FFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263717Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9600-6149-A427-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263716Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263715Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263714Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263713Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263712Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263711Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263710Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263709Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263708Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263707Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9600-6149-A427-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263706Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.993{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9600-6149-A427-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263705Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.994{C189DCE5-9600-6149-A427-00000000FC01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000301830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:19.452{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64339-false10.0.1.12-8000- 23542300x8000000000000000301832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:22.735{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320632C2FAA0D0E3099E486D5BBE0461,SHA256=4C99ED160FB6E7DA3E6133379888B599FD1954A1BFC1949C40581BBFC20AE12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263749Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.884{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9489942B08C5B80C1838848057A4CE57,SHA256=265A8CE4F799CCA6D056293BECCECE4A6149D2F7E7752069191E3A7BB3F9F0A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263748Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:20.543{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000263747Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.493{C189DCE5-9602-6149-A627-00000000FC01}14082632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263746Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9602-6149-A627-00000000FC01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263745Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263744Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263743Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263742Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263741Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263740Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263739Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263738Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263737Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263736Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9602-6149-A627-00000000FC01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263735Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.337{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9602-6149-A627-00000000FC01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263734Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.338{C189DCE5-9602-6149-A627-00000000FC01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263733Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:22.087{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF4734479FD450D1C27A8ADACC6EC3C,SHA256=33E880D89BBB8F99A2A8116BCB9FF7502508E6F13B8F0EBA8295A1ED4459B67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:23.750{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC39A45863964C6D76A0ACF66132DE6,SHA256=F0EE9D69F2F9B515DBA5D7BE52706D3ABA6E2E3B527AF4166D765A20B5501AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263750Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:23.134{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F00BDB331D8E060313DA17FCEA22B7D,SHA256=B843A52D8467D1836C48304DD49965D8B6332EB018F6C05CDEEE2CD68D79DDD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:20.957{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-966.attackrange.local54063-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000301834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:20.957{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58868- 354300x8000000000000000301833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:20.957{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58868-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domain 23542300x8000000000000000301863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.764{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D7751F56F711048A9B9803DF5A0307,SHA256=A7837A1F00ED82D9B6378EE9C86FDA32B771C8933A8B56BB9A9781E96EADCE2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263765Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.522{C189DCE5-9604-6149-A727-00000000FC01}2960748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263764Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9604-6149-A727-00000000FC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263763Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263762Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263761Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263760Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263759Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263758Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263757Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263756Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263755Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263754Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9604-6149-A727-00000000FC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263753Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.350{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9604-6149-A727-00000000FC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263752Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.351{C189DCE5-9604-6149-A727-00000000FC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263751Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:24.147{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995E07AB0362543230A11959AE6F3010,SHA256=4D7ABA1FC405BA974DA4A8C6D06D985D964C861AD5746ACAECE7619DD1541107,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.717{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.717{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.717{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.702{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.686{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.686{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.686{5097E253-9604-6149-332C-00000000FB01}73844244C:\Windows\system32\conhost.exe{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.671{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.655{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.655{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.655{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.655{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.655{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.655{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+204ae4|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+1757a0|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+17c416|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000301838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.667{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000301837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:20.960{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-966.attackrange.local64340-false209.197.3.8vip0x008.map2.ssl.hwcdn.net80http 23542300x8000000000000000301869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:25.764{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3BD18ECBE4F3B7D5934D1E42F678E5,SHA256=6257936FB09F084586B13742E4FA7B10021CCB635E81FB45684BA48AFDFF6A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263781Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.491{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE82C0908EEB4EAE461DD5DCE8ECCCD,SHA256=D9C20B8C2FB49AC9FE7365C91D37801D5668F62F554AA623D0A47D929C1CE803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263780Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.491{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0653C8B0A6A5B79E673E582DAAD43AE2,SHA256=169804560447A28E86E0FAC2E0BC710252C77310F6EA8F9EAF04E153B78DC8CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263779Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.210{C189DCE5-9605-6149-A827-00000000FC01}29201400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:25.671{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3754A59C439F0DFD04A3A0CFAB8789DE,SHA256=1F48F0AEEDED49F9A205EBDF6CDC24AD6ABFF661C1A94B08D5E92EE4DEE3D1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:25.671{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8CED19880D3363D7DFE1E5BA492E0A9,SHA256=ECDD201EC7074A6CC3AE7856664C7FC8D6C534A855D31689B4741BE8DDA71553,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000301866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:25.046{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000301865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:25.046{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Config SourceDWORD (0x00000001) 13241300x8000000000000000301864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:25.046{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_613C4DCD-0611-4E95-B870-A6B03FE07762.XML 10341000x8000000000000000263778Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9605-6149-A827-00000000FC01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263777Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263776Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263775Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263774Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263773Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263772Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263771Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263770Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263769Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263768Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9605-6149-A827-00000000FC01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263767Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.022{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9605-6149-A827-00000000FC01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263766Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.023{C189DCE5-9605-6149-A827-00000000FC01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000301876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:26.780{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61768CBAE365D81085436054AA16BBF1,SHA256=E496DCB6F6DA4FFE3D33628896BD69FFBE00643A9E748CC477B6D426C4E22CB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263795Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9606-6149-A927-00000000FC01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263794Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263793Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263792Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263791Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263790Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263789Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263788Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263787Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263786Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263785Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9606-6149-A927-00000000FC01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263784Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.319{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9606-6149-A927-00000000FC01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263783Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.320{C189DCE5-9606-6149-A927-00000000FC01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263782Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:26.257{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4593BF2F066549A8E6CED3F3A8DF95,SHA256=2B8B63AA5938D9F5967254354B6639936F5A1AEDD07276AA10F627C77D3306C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.377{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64343-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000301874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.377{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64343-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000301873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.371{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64342-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000301872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.371{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64342-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000301871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.358{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64341-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000301870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.358{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64341-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 23542300x8000000000000000301878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:27.780{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CA8D717DF4BE9AD6F9EE9B68523A0E,SHA256=673AE28B767EC7A1B55AE445FD24A8291E2624A818D12B3EFD082D9AA472D28E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263798Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:25.697{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263797Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:27.507{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0D9EAF3FEDD89525AA2ED5F07D75D49,SHA256=9D0FFBF2CE42E9C2482E98CCB482AA792E9229E8D2B37BA1769DD11B702AB277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263796Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:27.304{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03D5025BB193FD5FFF4599AA6495B65,SHA256=95CBFB8C936C68959A638A969D2B731512787D70CE2429F005F32AC38FE065D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:24.466{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64344-false10.0.1.12-8000- 23542300x8000000000000000301880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:28.780{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81F184995EC70F4BD054BD9B4C68139,SHA256=F15B9F655EF3E1C2C2B0F9E10E9993BDF080B01BBE6F8A26FB0FD64798350073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263799Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:28.366{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50B91F8064B8E15E039995EAC2F5940,SHA256=88FD1E9A682E612D52FE8DF800E44E3942574829189D93027CF320BF3F87B46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:28.702{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F76B5B8615761C9BA299F17D610BC6E6,SHA256=F1FE580E6F4C783DC91BECDDF155678F25B5E341FD8CB827319F22F89865ED03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:29.780{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4FAC15DC0789489D11D779C48E737E,SHA256=2751981C803535E85A5FA0FB1BC44BA7FF4D9A3461E3989D4C07BC40AADA5DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263800Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:29.413{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFD37D0C2922E6BD2136392E287F4E7,SHA256=682C7188FADD888BAE540066CC81793E3B008827568073C9DB6257F7F412C6A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:28.298{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local65041- 354300x8000000000000000301884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:28.297{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local63410- 354300x8000000000000000301883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:28.297{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61754- 23542300x8000000000000000301882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:30.796{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243D6E5DDDBF49ED05CC7EB68EEFCACF,SHA256=FD8CD00DFBD13D63580E5FB58B2CBFEFFEBD6F9316D608AE46F4009A1ACE4AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263801Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:30.444{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AFD3756A2EB3FD41B10381CCAA5380,SHA256=09EE83B8481786BB0B2C14F4F71484A0210B58D5685FC56D0D7ABC2A61AF4800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.796{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7011048B4BA44E80C76288E912C2CECF,SHA256=6C89B347938AC7AA6898F2F3E26B4416BCB3BDE4510D9A7E76ED4CC2DC5ED112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263802Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:31.460{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B685004BF00825CE9A219CDC6D804FCD,SHA256=AAF8ECC5AFA6A624C7E48A2AE1A793AF64CBCCFF669E86E0D4346B46C837FA2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.764{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000301894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.764{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000301893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.624{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000301892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.624{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c1a5|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x8000000000000000301891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.592{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-960B-6149-342C-00000000FB01}8060C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.592{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-960B-6149-342C-00000000FB01}8060C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.592{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-960B-6149-342C-00000000FB01}8060C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.577{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-960B-6149-342C-00000000FB01}8060C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.577{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-960B-6149-342C-00000000FB01}8060C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:31.577{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-960B-6149-342C-00000000FB01}8060C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.983{5097E253-9604-6149-332C-00000000FB01}73844244C:\Windows\system32\conhost.exe{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.983{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.983{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.983{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.983{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.983{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.983{5097E253-9604-6149-322C-00000000FB01}45246724C:\Windows\system32\cmd.exe{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.966{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 354300x8000000000000000301906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:30.403{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64345-false10.0.1.12-8000- 23542300x8000000000000000301905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.811{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5A0AF05713B0D607227E54F17196EE,SHA256=0FBB3953D44B28598C25152DB89F6D1D7A5AB635B6BFD4B96EDA41C9BB8C0900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263803Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:32.475{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9947A720044DF19B552F01CCDF7554D,SHA256=4B49FB58D04EDD342CC2A2BD45E3B47CD7E28E75726C5E43FCB492E12FA6E022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.139{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.139{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.139{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.139{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-9604-6149-322C-00000000FB01}4524C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.139{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.139{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.139{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:32.139{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9604-6149-332C-00000000FB01}7384C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000301928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:33.827{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCACE4F4E7C6D8AE77CD0DD3203082D9,SHA256=D0C06893BF2BF07B3791B5303256241B7EF0A39E60E1500A120E8CCBC429E9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263804Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:33.491{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30395B808EC3C0D468E40ACC5820F3CF,SHA256=CDA414EDCA8652D787B73D2754F717B685C4E3E009C4E2DC262391EB4935EFE9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000301927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:33.046{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=1B7AD381A6A56042F697FECEE95BBCE633C0E5AB4634EDF8E9A7466138BA6FF0 13241300x8000000000000000301926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:33.046{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000301925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local2021-09-21 08:21:33.046C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=1B7AD381A6A56042F697FECEE95BBCE633C0E5AB4634EDF8E9A7466138BA6FF0 13241300x8000000000000000301924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:33.046{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000301923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:33.046{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000301922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:33.046{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000301921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:33.046{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000301920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:33.046{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000301919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-DeleteValue2021-09-21 08:21:33.046{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000301918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-DeleteValue2021-09-21 08:21:33.030{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000301917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-DeleteValue2021-09-21 08:21:33.030{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000301916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-DeleteValue2021-09-21 08:21:33.030{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000301915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-DeleteValue2021-09-21 08:21:33.030{5097E253-960C-6149-352C-00000000FB01}6464C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 23542300x8000000000000000301929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:34.843{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D39BB25F708397E5E49EFF684353D9,SHA256=A94C384E7C2C1B6C16806DD967CB0FD434836428A41B34B53272AA4F7994176B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263806Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:34.538{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2594EABE408A7A2C3DFFCDF156AF66F0,SHA256=1EAF58D4D5907792041E5038D9DE76C1F8B66D77A763D449001F8F354BC90E73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263805Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:31.604{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000301930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:35.843{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE59DE3DC8852339D81781071A1A6A40,SHA256=10699C603C7C1D45F91D2D373976585C7A96C2D3C0B282E20542C1D2516A856E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263807Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:35.554{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC32DDCE72883E5A925409B31D690FEF,SHA256=D0DAF3C9C3D2061BFBD4D17B1F0C148CDCA2CC5ADB0CB638621C11BEE8C69D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:36.858{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0C04A9916C6295A8DC8FC4715D4037,SHA256=50D74E4AF246A90EA0B0837D43D20BDE062B245BD3DB599EC576B0D0D6D635A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263809Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:36.600{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263808Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:36.585{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE40D322356D67BFFB0A96A34899E7D,SHA256=8861E6F4CD51953B14513E427FC2E2380109A852F19D4A31CC126869F6B667A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:36.717{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:37.858{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4376C051287D5FB0973290609D8BA0,SHA256=90BFE04A972A706CC046FD5C384E04F58C4CF11830672910AD2530BE009A084D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263810Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:37.600{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A67E60774C7C6B5BA06D2F73C2CE32,SHA256=CEF0D9ACD878E9BAAC0AF344C2E6A166051DEEAF383CC0F2E31D83BCE82EA385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:38.858{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7A343F61041B84E915C44B15485581,SHA256=A5A5173569C8DEBA0F5C4E35B128957FBA46B0A4A3A17A6B494AC648F31CE1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263812Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:38.647{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4A609E7BED12EF201A866843AD937D,SHA256=31C3647C17AEF0F586FB231AFA92CC91EFF365222C231DDFB37409426A396B8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:36.013{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64346-false10.0.1.12-8089- 354300x8000000000000000263811Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:36.057{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000301937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:39.905{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FD0C47F8F0BC4F518527E6BE8D0FB3,SHA256=2BADE12AA842EFA1DCE8F55E3AB84C8859030520E01550F388BC9CF032EF00DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263813Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:39.694{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0BAD2D9091A070CAA752A4B8A6C9D9,SHA256=4CEC5CC8C7171EFF1B9E72A17E916EA5799D8E7C24D5E72EC521710C8401DE37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:36.403{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64347-false10.0.1.12-8000- 23542300x8000000000000000301938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:40.921{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD06199F896AF2DD5304FBF30857343,SHA256=EB8BE38EE6C8BB81127DE90E45A782C735D671147EF0DFD3D0650F72FFF80E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263815Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:40.726{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6C8AFE5870E499BA07C7DA7633908D,SHA256=F82CE6E34FB383FC55BE479107CAE72BC6D2C1FFCB417697CDB95D3FE82720BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263814Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:37.635{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51076-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000301939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:41.921{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA99DE0E9C664BF627190F85D6ABA20D,SHA256=86BC6A2800AA19F6B8A1D2C42B3BC62839AEDF088EDEAD83A291658CD674E136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263816Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:41.757{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEB2CE2EBE146D21331F63BC27C4450,SHA256=CF728828D9CDA7472F0388E44AED4C644D9ED9833ABE36BC4B957E630CF2F4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:42.968{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8194A167838DB1E9BEBBE83EB450E99F,SHA256=692B0950CD9CF82BFBE6824293AB685CA994711FAB9FD33C0B8EEB4F9FECE4EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263817Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:42.788{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D12F37DB12A42A3B7DA8B61CAE6545C,SHA256=9809FB0C321B8D6FA5221E8CF928762C1F0341C4B1380CB2F11CEAEE29993C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:43.972{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26D5BADB4ED30747E6E3A362CBC2DED,SHA256=87C9F1708B42B5A63E5FF2BB34C4E77FB48AD7A0F4A740DF99D1EE24602CEB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263818Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:43.819{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4B15B130DF59C3C1D5097A987266EF,SHA256=3D81368D165D1190296AC5353713950F77EA274810FA8714CDC6982F474F9ADA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:41.091{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64349-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000301943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:41.091{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64349-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000301942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:41.090{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64348-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000301941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:41.090{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64348-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 23542300x8000000000000000263819Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:44.839{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8EAF86F174C4C1E5E1AF6AAAD272FE,SHA256=EE253DACDE0DFE69CB20133A555F5BD626909FFC5A5631C748AECF6A1213E1AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:44.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000263821Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:45.870{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1FF03D3E5131C0DD1B6B9DC0A21128,SHA256=7F8C6C72014005A7251A8AFB72C9110717D84E43B7386B8A31D29C3F3745C11A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000301977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:42.372{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64350-false10.0.1.12-8000- 23542300x8000000000000000301976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:45.143{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9B915930DDB40BE48298603D1C3A56,SHA256=237A0AE8998F354E3A9961BC1B47C11074316085D6F913E38872D78DA37DA684,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263820Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:43.608{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263822Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:46.933{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4B70CA97EDBC25B3A8337B4F099D5E,SHA256=7C75E83EE2807D2E4B6D29DE906099A33D26036E883ADB42E1430BB5D0A6D01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:46.144{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB0E3BFA7F349FD3274BC30153ECCAB,SHA256=22C95F26BF4FAB37CD2063E3733E776BAAC02B79EF6D5AD2FB3D196B594A3B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263823Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:47.949{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB5A535387FAE3A5AC70BDF664DC2CB,SHA256=B92A8F8346A10DF4857F1B40CF6BB50C8A717F5586EBB349D4FE1229B05A3B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:47.159{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B84D0EBB6205AF3E038E847F4A7912,SHA256=92E036EDAD10F2F4996292C113C8EE8A51B7904FB7F2A965E868DF0C0A3FFE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263824Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:48.980{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7CBC52117E7CC67FFBB9FD665F04C8,SHA256=07DA17819D18154366F0864B17A87EE914E78B2DBF1C67ED173CD3CFF68D237B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000301980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:48.159{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4077E00F79EBBBBDA8FE4EED4F4F11DF,SHA256=00AE1DB301C10739079BCEF76D2335539B2DF290C7BA104471A92136F1607317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.753{5097E253-961D-6149-382C-00000000FB01}73686568C:\Windows\system32\conhost.exe{5097E253-961D-6149-392C-00000000FB01}3320C:\Windows\SysWOW64\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.737{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.737{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.737{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-961D-6149-392C-00000000FB01}3320C:\Windows\SysWOW64\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.737{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.737{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.737{5097E253-961D-6149-372C-00000000FB01}4132224C:\Windows\SysWOW64\cmd.exe{5097E253-961D-6149-392C-00000000FB01}3320C:\Windows\SysWOW64\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\SysWOW64\cmd.exe+ebb2|C:\Windows\SysWOW64\cmd.exe+69f6|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+92e4|C:\Windows\SysWOW64\cmd.exe+75d1|C:\Windows\SysWOW64\cmd.exe+6a49|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161 154100x8000000000000000302013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.748{5097E253-961D-6149-392C-00000000FB01}3320C:\Windows\SysWOW64\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exePING 127.0.0.1 -n 2 C:\Temp\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=8CA6D537FD710AC4A2E5668877345C12,SHA256=BDC34D4260925E54B84395B8167CA5D6F9C4AA2E047221C14F7736DDDEB13906,IMPHASH=0EB64EACA8C951D760EEA1A941A2A3F7{5097E253-961D-6149-372C-00000000FB01}4132C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\ADMINI~1\AppData\Local\Temp\install.bat" " 10341000x8000000000000000302012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.706{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-961D-6149-382C-00000000FB01}7368C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.706{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-961D-6149-382C-00000000FB01}7368C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.690{5097E253-961D-6149-382C-00000000FB01}73686568C:\Windows\system32\conhost.exe{5097E253-961D-6149-372C-00000000FB01}4132C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.690{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-961D-6149-382C-00000000FB01}7368C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.675{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.675{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.675{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.675{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.675{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-961D-6149-372C-00000000FB01}4132C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.675{5097E253-961D-6149-362C-00000000FB01}56687960C:\Temp\remcos.exe{5097E253-961D-6149-372C-00000000FB01}4132C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+12425f(wow64)|C:\Windows\System32\windows.storage.dll+123f7f(wow64)|C:\Windows\System32\windows.storage.dll+123cc7(wow64)|C:\Windows\System32\windows.storage.dll+124cb5(wow64)|C:\Windows\System32\windows.storage.dll+123af1(wow64)|C:\Windows\System32\windows.storage.dll+125eba(wow64)|C:\Windows\System32\windows.storage.dll+1262b7(wow64)|C:\Windows\System32\windows.storage.dll+1258e5(wow64)|C:\Windows\System32\SHELL32.dll+18be24(wow64)|C:\Windows\System32\SHELL32.dll+18bcfe(wow64)|C:\Windows\System32\SHELL32.dll+18baf9(wow64) 154100x8000000000000000302002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.677{5097E253-961D-6149-372C-00000000FB01}4132C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\ADMINI~1\AppData\Local\Temp\install.bat" "C:\Temp\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F,IMPHASH=B20DE9D5F257E3C5BDD2834F89FC042A{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe"C:\Temp\remcos.exe" 10341000x8000000000000000302001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.675{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-961D-6149-372C-00000000FB01}4132C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.659{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.659{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.659{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.597{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.597{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000301995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.581{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exeC:\Users\ADMINI~1\AppData\Local\Temp\install.bat2021-09-21 08:21:49.581 13241300x8000000000000000301994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localT1060,RunKeySetValue2021-09-21 08:21:49.581{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exeHKU\S-1-5-21-1292086698-2133823296-1489611813-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32"C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe" 11241100x8000000000000000301993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localEXE2021-09-21 08:21:49.581{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exeC:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe2021-09-21 08:21:49.581 23542300x8000000000000000301992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.175{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2471E7B2FB9CC357EEB75773D781BA9C,SHA256=EEEA4F30670870F263ECEB9D29ED6D01519DE0BA9B2BC83EE9EFAFCB318624D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000301991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.112{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000301990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:49.112{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exeHKU\S-1-5-21-1292086698-2133823296-1489611813-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\remcos.exeBinary Data 10341000x8000000000000000301989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.112{5097E253-483D-6148-1300-00000000FB01}920952C:\Windows\System32\svchost.exe{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.112{5097E253-483D-6148-1300-00000000FB01}920952C:\Windows\System32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.097{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.097{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.097{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.097{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000301983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.097{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.097{5097E253-8792-6149-AA29-00000000FB01}48164676C:\Windows\Explorer.EXE{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c|C:\Windows\System32\SHELL32.dll+18cc83|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000301981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:49.107{5097E253-961D-6149-362C-00000000FB01}5668C:\Temp\remcos.exe-----"C:\Temp\remcos.exe" C:\Temp\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=F9F9E19D162C5382329274C9EF73B9F9,SHA256=ECC35A1D6F4119026101986E81FE0B88E75EC68C03F7080C6F0922246E61BB0E,IMPHASH=D3A62971944197F0701C7049A9C739D1{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000302052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.972{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.972{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.956{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.956{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.956{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.956{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000302046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.940{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\Screens\0.png2021-09-21 08:21:50.940 10341000x8000000000000000302045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.893{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.893{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000302043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:50.847{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeHKU\S-1-5-21-1292086698-2133823296-1489611813-500\SOFTWARE\remcos_gzufalnqzl\FRDWORD (0x00000001) 23542300x8000000000000000302042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.847{5097E253-961E-6149-3A2C-00000000FB01}7644ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login DataMD5=5BA75311B1B0D6276E298ECCD12B8B07,SHA256=AEB7F25D09A00715C768CB87BA66EE544830347F998CCF218DE5C2072C4AAF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.847{5097E253-961E-6149-3A2C-00000000FB01}7644ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\CookiesMD5=4F6408896300ECC0A7CD4687C86A74AA,SHA256=62393E7EB63600103090BD16D5F5CD348FE606E3FB26035A8C3C7A058A124194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.847{5097E253-961E-6149-3A2C-00000000FB01}7644ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cookies.sqliteMD5=C1413A881E3168B59272138C5C1CD827,SHA256=930E6B40D209CC4E3C30ED0289D86F47F5CCA06E747CAD1CE212F2BD478D8D40,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000302039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.847{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\Screens2021-09-21 08:21:50.847 10341000x8000000000000000302038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.847{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.847{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.847{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.847{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000302034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.847{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\audio2021-09-21 08:21:50.847 11241100x8000000000000000302033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.847{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\remcos2021-09-21 08:21:50.847 13241300x8000000000000000302032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:50.847{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeHKU\S-1-5-21-1292086698-2133823296-1489611813-500\SOFTWARE\remcos_gzufalnqzl\EXEpath¦ás6\x11þ\x1D—o\x1Dú”É 13241300x8000000000000000302031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localT1060,RunKeySetValue2021-09-21 08:21:50.847{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeHKU\S-1-5-21-1292086698-2133823296-1489611813-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32"C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe" 23542300x8000000000000000302030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.800{5097E253-961D-6149-372C-00000000FB01}4132ATTACKRANGE\AdministratorC:\Windows\SysWOW64\cmd.exeC:\Users\ADMINI~1\AppData\Local\Temp\install.batMD5=3B76530DE6220FA5E42DDA52DF8BC2A9,SHA256=79F52794993A1A8E8FBC192E4C5613FBBF1A2814FBAD29FAC9B7B6A4A75ABBBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.800{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.784{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.784{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.784{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.784{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.784{5097E253-961D-6149-372C-00000000FB01}4132224C:\Windows\SysWOW64\cmd.exe{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\SysWOW64\cmd.exe+3d02|C:\Windows\SysWOW64\cmd.exe+3920|C:\Windows\SysWOW64\cmd.exe+c8ae|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+92e4|C:\Windows\SysWOW64\cmd.exe+75d1|C:\Windows\SysWOW64\cmd.exe+6a49|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+10c43 154100x8000000000000000302023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.797{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe-----"C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe" C:\Temp\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=F9F9E19D162C5382329274C9EF73B9F9,SHA256=ECC35A1D6F4119026101986E81FE0B88E75EC68C03F7080C6F0922246E61BB0E,IMPHASH=D3A62971944197F0701C7049A9C739D1{5097E253-961D-6149-372C-00000000FB01}4132C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\ADMINI~1\AppData\Local\Temp\install.bat" " 23542300x8000000000000000302022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.315{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890416F1A619F7E609F7E0A1D04E57AD,SHA256=6E7F7A96B153500DBB68564EA0F20D539C9984D94D903CBB093211940B619F99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263826Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:48.623{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263825Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:50.011{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFA415F031B59C51BEB1933A9718591,SHA256=D9B3465455D216A0AC67E32A9B9B8699EA8189909EC037A2BD3AAEA13B93AA22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:47.376{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64351-false10.0.1.12-8000- 13241300x8000000000000000302073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\UsnQWORD (0x00000000-0x08b09558) 13241300x8000000000000000302072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\LanguageDWORD (0x00000000) 13241300x8000000000000000302071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\SizeQWORD (0x00000000-0x00017000) 13241300x8000000000000000302070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\AppxPackageRelativeId(Empty) 13241300x8000000000000000302069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\AppxPackageFullName(Empty) 13241300x8000000000000000302068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\BinProductVersion(Empty) 13241300x8000000000000000302067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\LinkDate01/05/2017 19:50:13 13241300x8000000000000000302066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\ProductVersion(Empty) 13241300x8000000000000000302065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\ProductName(Empty) 13241300x8000000000000000302064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\BinaryTypepe32_i386 13241300x8000000000000000302063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\BinFileVersion(Empty) 13241300x8000000000000000302062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\Version(Empty) 13241300x8000000000000000302061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\Publisher(Empty) 13241300x8000000000000000302060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\OriginalFileName(Empty) 13241300x8000000000000000302059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\Nameremcos.exe 13241300x8000000000000000302058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\LongPathHashremcos.exe|7ed8638182ccb71b 13241300x8000000000000000302057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\LowerCaseLongPathc:\temp\remcos.exe 13241300x8000000000000000302056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\FileId0000cff25dcd7e34cea805c0ae3f0ce384c98850a800 13241300x8000000000000000302055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.706{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{eaca0f6d-09e8-9ab9-c448-7e64359b5d60}\Root\InventoryApplicationFile\remcos.exe|7ed8638182ccb71b\ProgramId0006c17457fb7eae5437859dd3f2205f60cc0000ffff 13241300x8000000000000000302054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:21:51.690{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exeHKU\S-1-5-21-1292086698-2133823296-1489611813-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\remcos.exeBinary Data 23542300x8000000000000000302053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:51.456{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9DA9FD840B275283FCE8505B83C2F4,SHA256=25AD71EC4A32AE13611C1959D75931AFF7EE7EA9280139A949DE984AB8198E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263827Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:51.058{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60BC949785C05D1C547B0ABDF5DB780,SHA256=B25AEA5D0291CA9E62A5FC4AFC2CE5D9508E0FF7D378CFE1076583BE95B51BFD,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000302086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.972{5097E253-961E-6149-3A2C-00000000FB01}7644tobi12345.hopto.org091.193.75.202;C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exe 10341000x8000000000000000302085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.519{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9620-6149-3B2C-00000000FB01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.519{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.519{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.519{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.519{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.519{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9620-6149-3B2C-00000000FB01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.519{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9620-6149-3B2C-00000000FB01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.519{5097E253-9620-6149-3B2C-00000000FB01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.472{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF65D1BBFF46D1CF880AB60DEFD2A9A,SHA256=89F08BB9D7B49CB7CF77ADC01DB78EEDF39C087EDDCC259A331DC33CFDB6D66A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263828Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:52.105{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564BC400FB93DC7AD4C35FB1B9737E67,SHA256=26652E00136A01713C6C1C26A9036CF8064BDF9A09CBE934B93165900C24F9D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:50.274{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53832- 23542300x8000000000000000302075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.034{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EBC635B6A348665B6FB13E7B9152848,SHA256=87B03BAD0C554D60F4B2E7082F918347B022F4BAF2F9F476FA6ADBDDCD8190DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.034{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3754A59C439F0DFD04A3A0CFAB8789DE,SHA256=1F48F0AEEDED49F9A205EBDF6CDC24AD6ABFF661C1A94B08D5E92EE4DEE3D1CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.987{5097E253-9621-6149-3D2C-00000000FB01}69721328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.847{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9621-6149-3D2C-00000000FB01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.847{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.847{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.847{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.847{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.847{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9621-6149-3D2C-00000000FB01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.847{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9621-6149-3D2C-00000000FB01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.848{5097E253-9621-6149-3D2C-00000000FB01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.503{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF3B0EDD43CD3B77585374027C2C6C3,SHA256=BE61DFDACB1F19399F4288526CBA161D82408457E5C33D7CCE8303518DF8A5BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263829Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:53.136{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D11EBCF1E706F01028BB4BDBCEE7339,SHA256=8A404C3232BC5B72C78ABFF8CE2022E4B5AF24C0EEC703F234EAEDB8D04F015F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.331{5097E253-9621-6149-3C2C-00000000FB01}68166860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.190{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9621-6149-3C2C-00000000FB01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.190{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.190{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.190{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.190{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.190{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9621-6149-3C2C-00000000FB01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.190{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9621-6149-3C2C-00000000FB01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:53.191{5097E253-9621-6149-3C2C-00000000FB01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000302115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:54.659{5097E253-9622-6149-3E2C-00000000FB01}36244056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:54.534{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5568FFA97F0374B763040B6EA953EDFC,SHA256=D8BDC4EA687FEBAE458454B20B70953827681942C89857D0466FAD82BF8584FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263830Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:54.214{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE58F7C6BB7718C9DFD0F7C47377DCC,SHA256=E2FB917C5DD4C60952CABC30C2236E7E4E05E157E01EFE6AF269F24E386EF092,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:54.518{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9622-6149-3E2C-00000000FB01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:54.518{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:54.518{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:54.518{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:54.518{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:54.518{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9622-6149-3E2C-00000000FB01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:54.518{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9622-6149-3E2C-00000000FB01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:54.519{5097E253-9622-6149-3E2C-00000000FB01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000302134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.862{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9623-6149-402C-00000000FB01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.862{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.862{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.862{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.862{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.862{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9623-6149-402C-00000000FB01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.862{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9623-6149-402C-00000000FB01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.863{5097E253-9623-6149-402C-00000000FB01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.550{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C8C5CAC9874882EFC2866673671ED1,SHA256=0FF1FC3817F063057EB6E7ECE07A9EC91072A8C2604A9B025E21B98226F2CEC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263832Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:53.733{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263831Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:55.261{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4A45AAD39457C86160607DA74D32C7,SHA256=A977CB4B88C2A684E7ACE3B23DD8FD69C3E1E88429105C033AE63B9448E01BC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:52.376{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64353-false10.0.1.12-8000- 10341000x8000000000000000302124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.331{5097E253-9623-6149-3F2C-00000000FB01}63368100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.190{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9623-6149-3F2C-00000000FB01}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.190{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.190{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.190{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.190{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.190{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9623-6149-3F2C-00000000FB01}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.190{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9623-6149-3F2C-00000000FB01}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.191{5097E253-9623-6149-3F2C-00000000FB01}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:56.565{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16EFEEE70CD14BE5C443A5976DC36D5,SHA256=3E991CFAAEAC31548B78EAE5FABD54E29364F1C5ABD8962CE34E8B6B50865ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263833Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:56.308{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBABB98C79D57C5BF9300A9E46A0CA9,SHA256=20FFED410404E2EDB519900CBA3C84C39AC93FC428822C1630B88FBEB63F9173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:57.581{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636528137AD7FDD9B9DC16B719888673,SHA256=0C5F4177FC13C30B35006A71BCB28A22C329AC8ED59C1507819DDA3FB7B08B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263834Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:57.339{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70FE8A7071C84AE3B15F9E8D1E81B25,SHA256=1F560E37CC331A0B604310FD78C421EE8FA5CBC43FE801A45FE99D474AF0356A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:58.597{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF63B5DB4032C0703E3ECA5AD0173E5B,SHA256=5CAAE012A75051DEB5BB8C4CE5A91665D805E8FD6C88F791479C3ACBE10ED432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263835Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:58.386{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5971296F9629B39DEF29E46FAB18E136,SHA256=84F273F4CC593A057E6B9A635F92CA3A02E4ACAF2920DB32518FD721EA874FF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.986{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64354-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000302137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:55.986{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64354-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 10341000x8000000000000000302148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:59.925{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9627-6149-412C-00000000FB01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:59.925{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:59.925{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:59.925{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:59.925{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:59.925{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9627-6149-412C-00000000FB01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:59.925{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9627-6149-412C-00000000FB01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:59.925{5097E253-9627-6149-412C-00000000FB01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:59.612{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4E7336E9E59C2B8154835EC33FA26D,SHA256=9F3783B9271F12C5D5B64A76644E5578C903ADE8A94C4EE9487B754D1B0EABF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263836Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:59.402{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F9F65EFE84B99AE25DFC69A6D0F73D,SHA256=733A53A3DC2772B88FE2C06EA88A02CBA901845CBD4C22830A0B01E698E0464C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000302151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:00.862{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\remcos\logs.dat2021-09-21 08:22:00.862 23542300x8000000000000000302150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:00.628{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8066F8C70BD527DA8F87B646098FC2,SHA256=6688B53B3C5E38A0D73C17F73F3265B4B2B65A3F19CEA635743C4B4704E2D4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263837Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:00.417{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71CCBD8C88D9DFA8C4573119F4508E2,SHA256=8FABAE22720A169CBF9493D25D987BFFF7276691D438391F2C52D3CE402C0556,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:21:57.517{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64356-false10.0.1.12-8000- 23542300x8000000000000000302152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:01.628{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75249AA874D3CDE17D4E86C85B5AFB9,SHA256=7156E18091A0BF1C68DE2244D3C021934FAB0A108B29BA81B67C5D9B3034EBBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263838Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:01.480{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEB910743B6D332271BAD162C95B9EC,SHA256=3670DFFE4AEE5965DDDDABDC7CBAACADC681886B5D66676CD73E254DBB80800B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:02.630{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846A947DA61FBF19E433E359A549319D,SHA256=294D214689511B38A11D7650F6FDDE5391B86F918E8540B7C0C42A6576D1C7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263840Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:02.511{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DB95265BA257E7D589FDAA6119062A,SHA256=B527C1B889163D8C1650FED88C68FCC5D5CA093442815090248474A3F1555AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:02.335{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1388MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263839Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:21:59.545{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000302158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:03.691{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B268A933552D02A6E111EE76BF9CAC,SHA256=BFD09790B7DBD9E394202E09785E2B81137D5C83574B04CFCB6485761B9B8A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:03.691{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EBC635B6A348665B6FB13E7B9152848,SHA256=87B03BAD0C554D60F4B2E7082F918347B022F4BAF2F9F476FA6ADBDDCD8190DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:03.691{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5705099639110214382D4CD32A3E873,SHA256=9CC34EBCAF9A151EF2D07D73AC35C326C142B97377D50E5D531B6C8CAFC0DE3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263842Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:03.542{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2CE3158FA5B3EAA0488DDB6A62804BE,SHA256=F8774C9244E5FF2D82045398307A649C91E93EB535C198C4FF117BE250DFB4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:03.334{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1389MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263841Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:03.324{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9B1AFDEDADD0A86F22FE1CD93CCC30B0,SHA256=50095746C2F914EE7D287826DF100BC340B96BB245B5F351071D1848C9A6018C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:04.829{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402EE2C44F5DFD17E4975766A2E1588D,SHA256=0C2DEA69F7CFA23545F8337421A4199CB843DA2394983D6EDF28BEF6BCE5A989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263843Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:04.555{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3414287823F5974D54928ED80EDC24F8,SHA256=D983C4CC05ED46F8C51B0078399B325148A7346464AAA1273ECD88B9D3A05464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:04.610{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B268A933552D02A6E111EE76BF9CAC,SHA256=BFD09790B7DBD9E394202E09785E2B81137D5C83574B04CFCB6485761B9B8A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:05.844{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A9A23EBF67E5BACD04F6EFD542F9FF,SHA256=4C67989BB81B7E63849FCE73B8616B4056FE54D5F9011221727629797ED32B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263844Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:05.587{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAC215ED09E64DC125C8CB9A9433794,SHA256=F89FB416D2AB421426FCE38321277AF1F65CBBEE2F9A8F583ED41DFC21996104,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:05.297{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:05.297{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:05.297{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:05.297{5097E253-8792-6149-AA29-00000000FB01}48162500C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:05.297{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:05.297{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:05.297{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:05.297{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:06.844{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63970F8D7E56629C8C75C4E95E0A37F6,SHA256=37B0007FC1C4B0D988E3445CDC3E12DCA24213793F004F3B13729F3BD1E27354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263845Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:06.665{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DDFDCFCB3326A658ADFC6478FD60EA,SHA256=3260975E7CFD914B8A3D0DE5F6157FCDB69C0EA075B08619BF3B9C6629F23181,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:03.436{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64358-false10.0.1.12-8000- 23542300x8000000000000000302172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:07.860{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02000C81531F6A86C1ED321553DCEA8E,SHA256=19E2853C3F59379E87F08D5089C39ABC000C800CB1F5EE91A115A36B439F1268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263847Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:07.680{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802A2111F1870FB71ACF0E5439C0DF10,SHA256=AC54EE27F28F62B22DCF303CA3182FD11D0F1A1FB890E7FA6BA58D0AADA7482D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263846Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:05.527{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000302173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:08.860{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970190B5DC057B9B507CCED0D652F85E,SHA256=413C3C750B4E5772C8E03FA5A15A39FE4EE0A2116A9A38164377C6C0074B67D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263848Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:08.696{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C73DCD41F66B9EAA660DCB03498523,SHA256=C22BA3C52C34A988DDC9B1670652FA25A3BAB4AE70F647B662F9B15A17A90F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:09.860{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FF2BBDD2C31728AB769B46140D8D93,SHA256=C8447E2A4E0109C8F4EEA4243323F14E370797464AB7CDDF4B9348F7ECAA06F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263850Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:09.699{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CD7C82E127B8B2DD6BC1F80E376BB4,SHA256=F065DA2B75F7AD0EA002BC755FF4BCADECABA9762A8523DF00F9AC19FEF1DBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263849Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:09.497{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1380MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:10.860{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6267259833638297D8BB545646AA0FDE,SHA256=C4C84403BE9DA80439157E118C70056C8616B71F800EE75BE3694AC40D8F03F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263852Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:10.714{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10BA4062A7B81C730D7A9C8FA46277B,SHA256=3AD896F32D8291AE206377C4363169C80DA0CFA31170D40B8521B545CA3EE858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263851Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:10.497{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1381MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:11.876{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC18F47867D87091C5129B1219EA3FA,SHA256=A906996B07BDA23A9A40120B0704547920101251A5C332BA8EA88C0A0AD1422D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263853Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:11.716{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7540E7B5D0B373D58705DAECE32B41E1,SHA256=D465B3CB28654CA9E3A77D194F5A927EE0B6363C619A3DE54FC055AE5E289E66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:09.420{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64360-false10.0.1.12-8000- 23542300x8000000000000000302178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:12.922{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49C5FBB19242A173D161DAD28438B23,SHA256=4DDC777E1D0B93F4213F58F42538EF4243FDB5FFD175838137CEA75D6EC572E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263855Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:12.732{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B86F4B64BA2B2ECD08D5D87D759A77,SHA256=6A3AD1A9BAB5341A0C4D740A08600413D1D74029EFB042C3657973F0E9F4B310,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263854Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:10.719{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000302179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:13.923{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42459C23AFAC6DA0FCBEF42984C3E532,SHA256=4E6ECC04D9B36032C4AEB5DE4F55D29B8EF065C8CE75DD356A4170C950365F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263856Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:13.763{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251E7135808B0E29831270F7F1147C52,SHA256=8512E3FF54D6A677E621DBD71C5344E03461C0AE92474A4362C70557342DBEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:14.954{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E967DDAE63F6F1AA2F78609562FC48D,SHA256=8AEC23615CC9B6E9DE2A9A0BD3EE03E3B68CE990B7FAD37FBEDF118DBC6DF5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263857Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:14.778{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE7192747802BCA572963D33D0FC294,SHA256=A7E667E73B97D1A4D6115D6ECF82A7E1E49EAB56ACD42B9D2B007B9B89778335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:15.969{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F041014BBE2A5A076030F3B38E894584,SHA256=D7EDFCEA953A5934A8489DB12D1903559E7B0671C254A6521FD57D744BE78047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263858Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:15.841{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34419795A14EC6AAA4507F4FAD773435,SHA256=BC5DCE48520AE89F3F1435ECB09005147AE90DBFC5CA7DBD47083E21D28986A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:15.485{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=554E998121B11FDAB5F97086733E1301,SHA256=B8233773281D0CC7A906F1A9FB4DE33F19E468785B08B1A12D68D1CFE328A074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:16.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826301232839587F463D3106501BABC9,SHA256=C8C2B804E2584B7AB816214C1870C01DDC7FCAA0A9684AE65B632DF8280D198D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263859Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:16.888{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE298FF56339FA88B8D82626A288D479,SHA256=5554E9B4E25F73BA0C321EC25736D68286A852F8921E130A6CC3B72BB57DA9F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:14.483{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64361-false10.0.1.12-8000- 23542300x8000000000000000263860Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:17.888{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B12D4F8430338D1AFE6388D0AE8858,SHA256=772409717117D154DBE1C785B35B1DD1B0CD74C3FFF5BFC6897046A31E2ACB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263862Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:18.919{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA53F9768B878C872E35B210B23C2E9,SHA256=FCB01022B2E0AC328EE2BC2919452EE180CD68BD4DCB47847C3B42D57AC10A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:18.016{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BE3C730C10797238EF492EE52220B4,SHA256=3BA2D286105A673758732272F1AFF417C1C1BAE0E7D3285D9474774A0DAB655D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263861Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:16.640{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000302186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:19.016{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02FE71EC0C1EB04F71523E8FF6C98F4,SHA256=FA28C10D56F3DBB1BC250AD52E73CE4A9979AC4AA1F888484B0CCE9411EFA911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:20.047{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A36A0DF85130099FEB6CA82B56FA300,SHA256=338364442585D1F8289A4EA8C87CC142B3FE0E9D802F0C2AE2C5FE87DACC3361,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263890Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-963C-6149-AB27-00000000FC01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263889Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263888Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263887Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263886Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263885Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263884Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263883Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263882Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263881Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263880Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-963C-6149-AB27-00000000FC01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263879Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.888{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-963C-6149-AB27-00000000FC01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263878Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.889{C189DCE5-963C-6149-AB27-00000000FC01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000263877Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.357{C189DCE5-963C-6149-AA27-00000000FC01}3002688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263876Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-963C-6149-AA27-00000000FC01}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263875Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263874Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263873Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263872Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263871Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263870Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263869Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263868Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263867Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263866Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-963C-6149-AA27-00000000FC01}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263865Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.216{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-963C-6149-AA27-00000000FC01}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263864Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.217{C189DCE5-963C-6149-AA27-00000000FC01}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263863Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:20.013{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECCB989C1560E6638743700DC8BC8D0,SHA256=C35A956E43DCE00898E770921E7FD93F390F48086E55E58BBD050FFEE495E581,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263907Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-963D-6149-AC27-00000000FC01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263906Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263905Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263904Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263903Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263902Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263901Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263900Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263899Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263898Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263897Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-963D-6149-AC27-00000000FC01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263896Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-963D-6149-AC27-00000000FC01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263895Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.560{C189DCE5-963D-6149-AC27-00000000FC01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263894Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.357{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D8BF6E7339AB6CCD67715CD5745E823,SHA256=107B67B5319663C3C5CB8AFB3A8A7B4EB5ED7B31F31081DA153DAA5B9C07DE0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263893Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.357{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED21AD307840948284951CF2B61BA750,SHA256=A9A711D7AAA4B6A270FF74D6BDB90AF7B4E455F4A0B336AAEC6F63C2796F7B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263892Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.357{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66C4B33B128AFF930D1CBF0DE011F0FD,SHA256=3F9CA239241D3AA361025136BE7B2517A36BB0AB1DEF1DA89239ACBE01113163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263891Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:21.029{C189DCE5-963C-6149-AB27-00000000FC01}31523768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:21.063{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1625234F810AF7E71F80994709A25ADC,SHA256=F09928FCBB4723BC9D456F56EC6F2A6140FC0C79E3DC2B5F588D875DB504F2D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:20.374{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64363-false10.0.1.12-8000- 23542300x8000000000000000302190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:22.501{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-09-21_082215MD5=820A4E6EC09113F6EDC8175D3174503A,SHA256=5277E67B50D5DE9C2AFE001CAB8020AFAB041769D98F8A143D923B29B27D87CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:22.079{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0126ACC58AF52847D257ADA2B452CF4E,SHA256=B5087C8C5584BA0C1C0F2A90EA72E390AD401D38A89DB345F82E86BC28385ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263922Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.575{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D8BF6E7339AB6CCD67715CD5745E823,SHA256=107B67B5319663C3C5CB8AFB3A8A7B4EB5ED7B31F31081DA153DAA5B9C07DE0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263921Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-963E-6149-AD27-00000000FC01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263920Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263919Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263918Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263917Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263916Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263915Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263914Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263913Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263912Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263911Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-963E-6149-AD27-00000000FC01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263910Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-963E-6149-AD27-00000000FC01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263909Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.232{C189DCE5-963E-6149-AD27-00000000FC01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263908Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.029{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F5BE7122F6B0DE63711E4FEAFBB691,SHA256=E3F843E24E096FA8CC6F1AC43C867AA85EB0E943C1C88D4FD4535DBC207B6C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:23.110{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C3BF6730BD839874D7FF61706FF017,SHA256=98B20D2E26637C4AFF6D8802C61B1D59698FEDA64527B1E3E19202A1B92A2734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263923Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:23.044{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF967D7FCE4B0D84F223F900B543874,SHA256=805DD7906F2359BBD276E41E47A04401E63D1BA029972267533DFE6B1392429F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:24.130{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A1FF17315CC27CCEFB206C74094678,SHA256=F25BDF3DF138C71CD32C76451FBE90C9A89245A1DB45E542FFBBC99E3530B73E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263939Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:22.593{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51084-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000263938Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.546{C189DCE5-9640-6149-AE27-00000000FC01}31883192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263937Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9640-6149-AE27-00000000FC01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263936Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263935Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263934Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263933Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263932Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263931Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263930Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263929Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263928Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263927Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9640-6149-AE27-00000000FC01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263926Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.342{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9640-6149-AE27-00000000FC01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263925Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.343{C189DCE5-9640-6149-AE27-00000000FC01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263924Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:24.092{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32329705A4E7B8FE06AD50648E9F718A,SHA256=4502E7E6E6A3976C34BF43E24EBC31FAEEBF4501E1E1AB372EC37F66989D3A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263955Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.482{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDBB3C8F7D7200C711157067864F755,SHA256=02E5E32B0E69033BD43368AC7173ED2F32EE8EC94F323506AE7E01C3B3AA72F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263954Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.482{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C781E33A9D06BAE25B8DFCC40A5D840A,SHA256=11747FA977A47F9B8CDC1F107FDFEF5B304C71C59DCBB1BB8E6594A72BA13281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263953Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.170{C189DCE5-9641-6149-AF27-00000000FC01}8963020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:25.146{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D1E4E72838869334666387DA8FCBCD,SHA256=F9DC0E2E6C27D85361D119A9C2B455624549565E0F92003C8173EBB6E0489492,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000263952Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9641-6149-AF27-00000000FC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263951Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263950Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263949Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263948Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263947Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263946Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263945Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263944Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263943Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263942Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9641-6149-AF27-00000000FC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263941Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9641-6149-AF27-00000000FC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263940Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:25.014{C189DCE5-9641-6149-AF27-00000000FC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000263969Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9642-6149-B027-00000000FC01}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263968Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263967Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263966Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263965Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263964Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263963Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263962Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263961Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263960Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263959Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9642-6149-B027-00000000FC01}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263958Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9642-6149-B027-00000000FC01}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000263957Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.342{C189DCE5-9642-6149-B027-00000000FC01}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000263956Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:26.264{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F347937A7D9049A0635DD9175751FCEE,SHA256=6EE360BD4A7FDB71BF54CA74FB2E76160DAF73290F811DDA2AAFC4666C1A1331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:26.162{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDFBFB7F84B36C2856575D232CA1EF4,SHA256=706BDAF49245E81C592F42C8AD2474A424CD5FD94EDD66727CE1A25C410F9AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:27.177{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88F1461AA0FEF01EAA15FDB17685A5F,SHA256=A30074B4D548FEA42D81FE172CB047FDF0290E8F12F34E2B698FC41C23B3CF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263971Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:27.357{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=880AF68777FC09E6DD3CB3595FDF37BB,SHA256=FBF5737E59BEA8514E16C7611AFBD6E5A4E260D531AC4BF7A3DBB8A4ED03663D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263970Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:27.279{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6CF5A83A03395B31C2677F88F6BDC4,SHA256=1E89CC11D98D725B1BD85924ABC7BC0C1A350F9BA144641FFEC57A6EA9D1FBAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:28.709{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EFF81DD5D7F18CF304B9AA0DCFFF436F,SHA256=E558B151780B8B7C94CB3C07D7ECAA3317F2E462BFE35645430B79CEB4765746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:28.177{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4677565CB7F6EB3A6479AD7EF4FF1DBF,SHA256=B5514019E19166EBD46A9FDB1F50161BD50E0ACF7CCA944A14DEC83ECC945BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263972Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:28.295{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D915260D36B319C620100577205E1154,SHA256=43EEFB898D47CD2DB139CBDE3A62B8A3FBB910711097E4700292754FAEB31A11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:25.503{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64365-false10.0.1.12-8000- 23542300x8000000000000000263973Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:29.326{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E360EF543ADAA9DFC69E2A4B46CF5C4,SHA256=064DE0BEDA2FDD0325D0229DC7DA5ED33864957C949D6D039C4D63EC5D7517E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:29.505{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-09-21_082215MD5=B0F48BD93ED8C0FB19C6A562888D6ACE,SHA256=C98F8715A97AEA5867F5B021D075419F87EC2E114F22A95A5EE20C57FB99F116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:29.224{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9327612C273298EF998AEA9D4581D12,SHA256=0AED04504573156E4FDF7103F9061F435EB2E876F3087984C609E8A4ADD10702,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263975Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:28.531{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263974Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:30.357{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C19A76BAC6FB49B32BD23E9E5D0779,SHA256=EB9B47AD1C44154C0076240016A9DAE5B8F87391E5CA24A230F2E601B1C49340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.224{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A59AC80CB57568D36448E7B76800A2E,SHA256=CE95AD3F868553053BE5377AB2CCAFEFBD2726BF05E92A5A033E45237DC87023,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:27.837{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om39517-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000302204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:31.240{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F45AF2E261052A20401CF5FCEF19DA,SHA256=1E166548F62307C346AD6691004F9DD956B70854D34C2EFA24B218AC20A3B505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263976Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:31.404{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605685BF2C18D4FF85FEE2A3501E1AF5,SHA256=1224B8619B23687BD9BB00F48D23299F5AB18ADC507762F04E3576E716F72B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302246Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:32.240{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B001C06DB7D7E54143EAC5CA9A3C52BF,SHA256=83455FA028621A262BCDE4859FA0F1B7AB84BEBB41A657296711E6EF8BCF75FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302245Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.325{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64032- 354300x8000000000000000302244Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.324{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local64320- 354300x8000000000000000302243Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.323{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59555- 354300x8000000000000000302242Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.322{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local53119- 354300x8000000000000000302241Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.321{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local65487- 354300x8000000000000000302240Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.320{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local62178- 354300x8000000000000000302239Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.319{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63721- 354300x8000000000000000302238Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.318{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local59941- 354300x8000000000000000302237Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.318{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59306- 354300x8000000000000000302236Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.317{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local53118- 354300x8000000000000000302235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.316{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local62478- 354300x8000000000000000302234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.315{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63144- 354300x8000000000000000302233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.315{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local63456- 354300x8000000000000000302232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.313{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local49191- 354300x8000000000000000302231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.313{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52138- 354300x8000000000000000302230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.312{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62175- 354300x8000000000000000302229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.310{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49485- 354300x8000000000000000302228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.309{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49251- 354300x8000000000000000302227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.308{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local49964- 354300x8000000000000000302226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.307{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60874- 354300x8000000000000000302225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.307{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local49380- 354300x8000000000000000302224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.306{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53798- 354300x8000000000000000302223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.305{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local64752- 354300x8000000000000000302222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.305{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64113- 354300x8000000000000000302221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.304{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local49207- 354300x8000000000000000302220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.303{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local51786- 354300x8000000000000000302219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.302{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50910- 354300x8000000000000000302218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.301{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local61938- 354300x8000000000000000302217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.300{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local53263- 354300x8000000000000000302216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.300{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61910- 354300x8000000000000000302215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.297{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53802- 354300x8000000000000000302214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.295{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local60534- 354300x8000000000000000302213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.293{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local58868- 354300x8000000000000000302212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.293{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64390- 354300x8000000000000000302211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.292{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local64611- 354300x8000000000000000302210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.292{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-966.attackrange.local64611-false10.0.1.14win-dc-966.attackrange.local53domain 354300x8000000000000000302209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.291{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58868-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domain 354300x8000000000000000302208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.286{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64368-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000302207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.286{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64368-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000302206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.285{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64367-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000302205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.285{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64367-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 23542300x8000000000000000263977Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:32.420{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F3422B621C8CA98B0BB666BFB19A23,SHA256=7EDC56A3F37F65998A87A1CFA7F7CC824BAC3349C81FB21926FC9B9EA8831B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302248Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:33.679{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95E86389E5BB5EF0759519C72A35901,SHA256=BAA6D8C5C3131F2A03458D06A9AB5A50886DA02EE45AFCF50F10FEF91E9FBAE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302247Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:30.326{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.14win-dc-966.attackrange.local63645- 23542300x8000000000000000263978Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:33.451{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A0E4719FD7118641645CA32F3B585D,SHA256=5BE38180B6CCA4FCC2E9DA3662F72F606D40111E41ECBEB35F87B8084CE2CA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263979Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:34.467{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D607F43EA4403ED5C9A5DC9FE4BF0C5,SHA256=F0165A1084B8A753026000462BE8507AB1BAD80456CDC1E5AA42E0517C880D55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:31.472{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64369-false10.0.1.12-8000- 23542300x8000000000000000302249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:34.319{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B87AFD57C20150C75CE91D49F324A69,SHA256=CBD4599094144BE54F0EB22D5BABB073EE311A11866FBB0104E048A8E914482F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263980Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:35.498{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4022FACFD8EFF4F0144C2429C09AFE1D,SHA256=6D09E774CC3381B3C558EBF060517DD2569AAAF4F79A895DB1A93E5381578837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:35.335{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01D0F277AB57C5DD7B905F4BC5FD46D,SHA256=1AFA552866C94077118789E9563FDD16FD46B68EE919FFF3714EFAC0C7C1601D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:36.741{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:36.350{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3B573698470353542FD4DA4550BF83,SHA256=7F8A472943445F9C9D4D64A668DE365F940647614BAD96013D00A5FC5D393D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263983Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:36.623{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263982Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:36.514{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E586192894A7FB995E07161432D8DD03,SHA256=C5392BBFB8C274DE2FB6FF4197538B69B6D62407929AECD3954E913ABBEE5440,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263981Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:33.688{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000302254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:37.350{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477F3B71553759394EF49E0E793C3A39,SHA256=14C93E50C135F820B3BD08A22D085B750E56F6654F5602FABE35CCCFBFC8CDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263984Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:37.514{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F3FFBDB1D230F44C9D2E69CA847B72,SHA256=D4AA9ABD30BDA4D3F774167A7AA963E2846905B1F1A78D88FA692FF820086DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263986Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:38.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77A1195DF110755261FA07AA72D7ABA,SHA256=810D5741AB8DCFE00013533E2D504B2E612B698CC18589EA64582F1E2C527D8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.663{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.663{5097E253-8792-6149-AA29-00000000FB01}48161852C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.663{5097E253-8792-6149-AA29-00000000FB01}48161852C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.663{5097E253-8792-6149-AA29-00000000FB01}48161852C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.632{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.632{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.632{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.632{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.538{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.538{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.538{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.538{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.538{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-964E-6149-422C-00000000FB01}7340C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.538{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-964E-6149-422C-00000000FB01}7340C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520|C:\Windows\System32\SHELL32.dll+17999e|C:\Windows\System32\SHELL32.dll+736c1|C:\Windows\System32\SHELL32.dll+765a6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000302257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.545{5097E253-964E-6149-422C-00000000FB01}7340C:\Program Files\Notepad++\notepad++.exe8.14Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Administrator\AppData\Roaming\remcos\logs.dat"C:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=8D93FF22077355875C7BC59CEBE98B4F,SHA256=A345288CDF2B0A43B64E0C3264FC2839A76C98835CAC1A1920D68E21DD444EB3,IMPHASH=D3A8B6DC8BC0179C654D96C4AD61A9D1{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000302256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:38.350{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077CF3222CC636FA4C93DEACDE9F1B99,SHA256=F7B8248B07F98C35EB77C1E97614F8F8BBE034FB3653B59D6A64D7EED2C8FCA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:36.036{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64371-false10.0.1.12-8089- 354300x8000000000000000263985Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:36.078{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000263987Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:39.560{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03303A796F5D435B972BDAD95100A227,SHA256=5C00278E063C8AF11F2D57C58ABF0E6EEC17347A12B96FAEFB819BB6359377D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:39.350{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFF760EAC2CA2E35FD8B8C2A3CB3DF8,SHA256=1BDD7081498D810CC1504B345CF6A1B627FA1991379A9DF02B1DDB06FE5C1C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:36.489{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64372-false10.0.1.12-8000- 23542300x8000000000000000302274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:40.350{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AB27689B4FA2D6AAAA6B6A4EDDAE80,SHA256=8785BE5F847EF6E76F88953B02D1C6F85AF267D49EC843001F122569DD6F6090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263988Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:40.592{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADAD4DAF71EE2A53CF13DFA9D54BC60,SHA256=C0D140662D16B6CBB7E57D37592D3B7A6A626DBDBDAD3A9A269340185F4E29AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263989Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:41.639{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6BB4150A9876D2B11551370DB4AAEB,SHA256=36A90A0E24CB5C5E55DBC2728EE35A985BFC02A387F966CC174DDDE26817EA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:41.366{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D847405F27548D34F3C3803BFE8CEB1,SHA256=BF7FB3C1D2A16764345C9A6928C2E20D53DDE69FB873B6867AE225CF6CDE05D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263991Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:42.654{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7715BE12B9ACD36223706B02A7562F83,SHA256=7268140637C2B9C6A6D56874D5A211C8BA1625B78C39336B636E20F0116BFE9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:42.382{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61F6B005793253C853EB5CD7D182602,SHA256=7714BECC53D0D987379B8F5964934E8BD3938E1242C26FC3CBF8054DA0ED3EA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263990Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:39.672{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000263992Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:43.748{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE9912A5B872A0EC3A1990663BAB4A3,SHA256=EEE132C4FDB3D8B4D238A896C32033F4C9F8F728B6F09E937F49EBE7495CA485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:43.382{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C527057C628C51708925C44DDDA578,SHA256=96D680237DF465920073DD110A8366BA5F0B7D7BA6AA41A9D139286A3976D1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263993Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:44.769{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A9072334461A7F38BF296EC41204C8,SHA256=70F1500CAD8DFCF4828E68750D0011CD6195A3769BD3416BD6F39D1A86D643E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:44.386{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDDEB3660698ED93F13406ACEAC5308,SHA256=F34964D2ACF309E6F3BD37575A09FE5EF2C686B1302ED33C39B4FD475EC3CBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263994Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:45.785{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F00865A3A1828895E4FD8916BB3DD8,SHA256=F3336FE5688A1320C05B944AE073296F445DE29BE85F790637044558D0BA4C77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:42.489{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64374-false10.0.1.12-8000- 23542300x8000000000000000302279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:45.402{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECDD599BEE8A603E7D5B25D90688F46B,SHA256=9842E1E374979B0C157CC1E87AFBF74009E8F93BF2DB94D7CCE8A4F896DFC012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263995Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:46.785{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154F934AC73D2667CBE06FCD509B82E5,SHA256=48B64A80860327F655CD5D8AEE9F60C693DF502662BD3F296ECBFD597B5F5951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:46.417{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857D210466C7220889010A169F2E49DE,SHA256=B8163E6A032BE7BE5151A32C2AD5F43370E23C9B36001D2FB6CA09A177043EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263999Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:47.816{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90053B1D6C8CE2D5E7F334FC1E4C243C,SHA256=AE194C3798A285BB86176F998EB015ECC8AAA3538CB9DA13DEE7CB03208D7CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:47.433{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB21D40D3547813AE6FE040223EB288,SHA256=F855670F43D4BFD238E86EDA5FDD6F4A451782B0AB5216F52F4D62578C143CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263998Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:47.769{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B4911F6BE9CE567C1A53FC5FF95028B,SHA256=2AE1616D4354127D00CA0263A112897E15CB9233A1C8ABB538A8F724EABCEB44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000263997Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:47.769{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A379E28AAAFF06FF613B4FDAEC8E8B40,SHA256=DC9BC02D1BAF857BD5A2A93CD4DE30C33CC16ECEBC6E84EAE31D1113998DD0CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000263996Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:45.429{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-60431-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000264001Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:48.894{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095360F969ABBA64F2F425E1FCD0E3FA,SHA256=F947C2553562EDB7324777FCDF621D8E339DA9509E92389FF50E09985F7EED11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:48.433{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEB944D246C0A8772ECEF40725DD47E,SHA256=E68B8748BB19B359CC98A513E7D53804E7A1123CF6022495E07054C203A1BF1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264000Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:45.646{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000302284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:46.100{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51090-false10.0.1.14win-dc-966.attackrange.local49676- 354300x8000000000000000302283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:46.051{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-61200-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000264003Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:49.910{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2BDA846E2675020F53FA9824BB058E,SHA256=0295EB2F5B5A12E211829DDB7436B85EE4D66EC36197BBF10BFFFE13733E3B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:49.433{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2719CF4959E623A39DC467A5A4C33259,SHA256=1664995945FCB1B8D974B22E5641FAD203906B65367E40D33E4231B21B5C6B59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264002Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:46.237{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51090-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000302286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:47.064{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-53639-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000264004Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:50.956{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0D31487818CC8DC375355C4AB6F827,SHA256=796C89469766CF03AB3C05E512867F43734A860AECC7F5DFF7AA1FFDD3597CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:50.448{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65DC44D51A1764BCAD9D445AA341B1E,SHA256=3DBAAE056115B46C6C469F5FD8CB8A262559E872CA217D508584ED45830E5CD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:51.573{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:51.573{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:51.573{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:51.464{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11CB1879251A49943440A7F6B47BE65,SHA256=D1250F20C102AD166CA21E3134C5E79422700FC0E5EA2282A50768FD3490508D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:48.493{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64376-false10.0.1.12-8000- 11241100x8000000000000000302289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:51.058{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\Screens\1.png2021-09-21 08:22:51.058 10341000x8000000000000000302303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:52.543{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-965C-6149-432C-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:52.543{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:52.543{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:52.543{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:52.543{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:52.543{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-965C-6149-432C-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:52.543{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-965C-6149-432C-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:52.544{5097E253-965C-6149-432C-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:52.480{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40C62A50D9013E2427D905AE9C872B5,SHA256=B1A5FCBBD556C65A2D33EFB25563218D086EBD101358F8908317E2BAB14700D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264006Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:50.646{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264005Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:52.019{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F9DE511CBA5C12EB40589D3BAFEF69,SHA256=14986BC10C70E26034215C729D9A6845B932C062206C91ADA5DFDB36DAEE28B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.886{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-965D-6149-452C-00000000FB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.886{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.886{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.886{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.886{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.886{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-965D-6149-452C-00000000FB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.886{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-965D-6149-452C-00000000FB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.887{5097E253-965D-6149-452C-00000000FB01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.480{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5ED287773E461AF41A5D2EEFF76886,SHA256=1006E04542DDB141A32077F2FEEE0810A8BE8DBC0E2E94A1E263BE023E32020B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264009Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:53.144{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3D1ABC83BCC7C609ED83B16B35EE9635,SHA256=6AA2397B6385C7FC98E66B6C04780A00141B7011F586927358CC7F45DD83F6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264008Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:53.144{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6095BE099EFFC720BAD02599860FFC48,SHA256=C53EA0AB25DEF7BA69A15E0E3D8AEB6875AF475927CCFA0E6EC80D4D23C8DCB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264007Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:53.066{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B501C141B1736DED01CE9F287167193D,SHA256=01DA2255E8858994262B5AFBC4E9041EB98FFFBBCAF20B01CC765C1F056EEFE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.214{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-965D-6149-442C-00000000FB01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.214{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.214{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.214{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.214{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.214{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-965D-6149-442C-00000000FB01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.214{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-965D-6149-442C-00000000FB01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:53.215{5097E253-965D-6149-442C-00000000FB01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000302331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.698{5097E253-965E-6149-462C-00000000FB01}55686460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.558{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-965E-6149-462C-00000000FB01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.558{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.558{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.558{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.558{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.558{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-965E-6149-462C-00000000FB01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.558{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-965E-6149-462C-00000000FB01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.559{5097E253-965E-6149-462C-00000000FB01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.495{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B2DCE0599FCE8C60F2857B56488D0D,SHA256=58B3D05FDD412F31964248A6A47C440FB4ADEE579CCBB3CCD3B030313FCC5DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264010Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:54.144{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92369BC4C148216691FD36DC4951D6F2,SHA256=D506E5F42956AFBE0880605938485FDAA6A4C324DC20E3292490A938AA8F450B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.027{5097E253-965D-6149-452C-00000000FB01}61166648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.886{5097E253-965F-6149-482C-00000000FB01}14521480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.745{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-965F-6149-482C-00000000FB01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.745{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.745{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.745{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.745{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.745{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-965F-6149-482C-00000000FB01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.745{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-965F-6149-482C-00000000FB01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.747{5097E253-965F-6149-482C-00000000FB01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.511{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15950AECED4B8BE30002F6DFA140122C,SHA256=74861D4C3F154C797EEEB28D4CEE2B812838A711911BDD0A4EAF1EB28353B7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264011Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:55.160{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7C57E2526421BFDDA9A32A9DB2AC87,SHA256=023872E3A216C0DC0F22D8893F2582FBCDE5ED0DA1DC6202D8F1A59187C8FE92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.370{5097E253-965F-6149-472C-00000000FB01}57247200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.230{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-965F-6149-472C-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.230{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.230{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.230{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.230{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.230{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-965F-6149-472C-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.230{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-965F-6149-472C-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.230{5097E253-965F-6149-472C-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000302352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:54.446{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64378-false10.0.1.12-8000- 23542300x8000000000000000302351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:56.511{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C12D0B6332F4386B9355E118A43473,SHA256=5D81627A61977242008FEA4895DADAA412D2D48972A2A96217C7BE0176B78E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264012Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:56.207{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FB09FE90B4308844E957E6F156226C,SHA256=BA912C2A0B3C918D0790C0DD66D615162DFFF6BC847E2D0AA10347DF483ABD7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:57.527{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FDEC71663C890AD241D740C73E5D0D,SHA256=D5B8D308E9B179A42CAEF53AE2BC3BFB3834D2F3C5B2B1E52456A7B766A1AD3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264016Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:57.363{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264015Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:57.363{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264014Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:57.363{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000264013Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:57.238{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5935A79066DFC6AF90E3884087D4E4,SHA256=0DC6B194950E491049241EA5F6567C258E9A26AF379DEBE118B1F5CB93DA308F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.993{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64379-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000302355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:55.993{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64379-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000302354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:58.527{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BE3DD51686ED895F9662473482ECC5,SHA256=2D7284126E04D73AF3028779BD95E69507C22F3A6C1427EB50A72D69AB432E81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264018Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:56.568{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264017Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:58.253{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0447F0E0D30D3487F05C32FDF1A5FC2A,SHA256=BC37DF88A2F5185CB331C440B7AB601B3DDFA99033FB22FA67136FB70F0FD5B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:59.777{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9663-6149-492C-00000000FB01}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:59.777{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:59.777{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:59.777{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:59.777{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:59.777{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9663-6149-492C-00000000FB01}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:59.777{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9663-6149-492C-00000000FB01}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:59.778{5097E253-9663-6149-492C-00000000FB01}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:22:59.527{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB88B92BC1A23C25827FAEB045AB8CC7,SHA256=9C0DADFDAC9AE3E1181D49254C83F68E785C6BC090925142DB949C4F8A194CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264019Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:22:59.285{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2498FFA8B9F51A5F9CAAF365740183,SHA256=9E7AA827E9BA51DB7B3BB6ED35F2434540F15760391373217D977855D448C425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:00.542{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7962464C80E56DCC71BBEAAFAEEB1C8E,SHA256=6C051EDFF4457A27D858291CEA23124C36B675FB9C152AA030A6DF4E6D7BA116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264020Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:00.300{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DF70A8485A5A9C8EEFC1C461DF1C6A,SHA256=E9FAD8146E8C18690E7B7C8E1EE162D0AC0A409C6E73D17EC5DDFC09F45EE9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:01.589{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1423FCE35964FEF024FDE23AF7AD9170,SHA256=7414E2C0AA4955840A72793399B09FB09A68B2606AFC2E2ACBF90F7C1E9508D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264021Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:01.316{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D069193346047F61C0B778E5AB11F5,SHA256=BBE18D76DF8299BFF77D286C073AB02CE3D8C6D7255940D2B1DD081072449ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:02.589{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0214A82B1823E07F5FFAD605071438FD,SHA256=E4E86FF28C20476B72B3EE66532642B9C4E46F2D4447FA02A502D209892D2B7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:00.384{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64381-false10.0.1.12-8000- 23542300x8000000000000000264022Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:02.332{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FD4B03632FBEA1651B61BE7A4E826E,SHA256=DE1FA30DA181D4915326B99EF9303E6DB03D5EFE760333A84B9968DEC97E6281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:03.858{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1389MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:03.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD682A81B9105606DCBCA5C5FBFBB17,SHA256=331390D39685D63025F0CD0E3E8151F5590DBD5312F09DA657CF5B6E197462F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264025Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:01.724{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264024Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:03.347{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6071432DBE9D58AAFC3062CC58E2A4F3,SHA256=F395D309133C56B5B77A6595FDCF0408C2A55F2332E77127D97FD096A94245BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264023Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:03.332{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1DF8F04D04F160498423B48519561295,SHA256=F6A0EDB1DA19B2E453B6D8EFB37CDF5C8A2870B7A58B681B20B6D45476921B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:04.870{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1390MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:04.634{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E42C67661C8D651250AD756479DB213,SHA256=961DB7C4B68129B27248C7A8E6C215F6317868974D9F206EDFDA0107AD7B23F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264026Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:04.361{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE44EB53153DEA26B620B6CF33D1E06,SHA256=4E81443027829FB37A72C40E00222BD173C51050573A1DD99A04B6D28A87D4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:05.667{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F31FB25E6BE7EB20D491B279F94B0E6,SHA256=6E8A0DD54C0D85ADB68657CB7589BBB99415755851B78B45F4E7152F30354071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264027Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:05.361{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D54D6B4244B30DBDDD7745BAE030E06,SHA256=7C945070B68C141FB525B5025D4AD96A6A02A8D139F03303B2711BF2E55F79F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:06.683{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C68B7AFF435E5E9E5129624D065AB5,SHA256=90F654F7D1DB32C126F5333D8AD6E902F535A102D46240E3065318B42AD49C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264028Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:06.377{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6D0626E03469740225345B2B06ECE4,SHA256=2E3A4397756856C85F0F4475A88E6ECE8C1453056AC29A77278E12997DD9BD60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:05.493{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64383-false10.0.1.12-8000- 23542300x8000000000000000302376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:07.698{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF4920C4DD0DB0A9CAA35BEBC815221,SHA256=2896365BBCF276DA574C4B5894C77DC3226D5FFF9DE95A8DDEDB83158944E090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264029Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:07.392{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FDB1B804A7C9FD8B146EDB63CCAFA3,SHA256=BF49DAF746AC3CABAF7D55EDCA4E6DB409FF56D17C989C1699A1A40F36FAB323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:08.729{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6FF46D6697B1C9CA4BCC742C3A4DF5,SHA256=AB426A75F8BC25CA09D13F2706C03EE0F92E38404E2AD19C0EED2B95DE400754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264030Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:08.408{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96251BEC2783355F1635430E1B5EEB51,SHA256=39AF3778919849D30192F2EF1330B5FA3DA813400734D4E0D8C851E19615C772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:09.745{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B9BEF7BC767811D79A958A4C763D35,SHA256=10DFAD5F49FEDCE52E4424791199499743F1AF8E65E50099FE278FEDCB8E880B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264032Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:07.550{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264031Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:09.439{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B844387B1F35CB884E9A03967067E4,SHA256=A92E9D8294A8D0E60AD5386568A97DC2E8935765B450F72F9874A1373399AB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:10.745{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E65F30B6E0AE2D300632F8ADE20F23,SHA256=3FAD1C227559AB74B06F51EB9B890DAE8B030BA90FC12BED31574E2906C31316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264033Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:10.470{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95739F896FD5B9D0DBE688193C971428,SHA256=A2B630FA77AC244DD680C500BF1FA2E974D62EE35A10E86D70E8EA365D06349A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:11.761{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD2D5E3F6A40F1BB2272C60D95C25B7,SHA256=D1EB6E0C7564B5394E002D98113A0306EB920326503AA6D64E8C0741B10B59BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264035Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:11.487{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B49A91D11EC7D656A921AD7E6B05C2,SHA256=DC94C821E7EC34861A355ECB57FDB4CD25F71677C68F6F46FB9567B3089CFF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264034Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:11.022{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1381MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:12.761{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C68765A5FF7F35656D9BC4E57D2B30B,SHA256=1D9FB960A5AEB5D143D12566FAD5636B249889D60E80FCB5B621F7CF055EB638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264037Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:12.501{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A621905966EEFDE3CFCD70F2BD19BA,SHA256=48B631DF8F38E57FFAC6E2433DE61DD994E6E8BB820FF278E5C3C9BFCE787702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264036Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:12.035{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1382MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:13.777{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123F3F480168DF62DE6262ACDAEE5143,SHA256=7C625E14823AE2D93270093D28880605A662548F580EFBE28586539576CFF211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264038Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:13.519{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057DB8B740421EBE402DD84212548D5B,SHA256=5E8137AFDA6F8EA974A8A40DFD206A7447687C641760E8CA453F092C41F3F827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:14.792{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3330C523386C4BB3A131692DB6ED522,SHA256=20DF38C8D0D6CD1F92AB7BD5C5D496D30D1962F0B2CB172A141CE83C21139C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264039Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:14.550{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AC19ED2B60C9B76699EBE70F7A328F,SHA256=5C6B79E5308A2A3C6CBAD25A6515A394E6422B0094161CFA8D5A225E0D4A0BEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:11.477{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64385-false10.0.1.12-8000- 23542300x8000000000000000302386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:15.808{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278C7130210231DC9BB7E6465E8DC799,SHA256=2F8BBFD73D9F87E08F80EC3EECC556843B7BD6AFE3696AF5E8DEC02FB8742D2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264044Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:13.642{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com11779-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000264043Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:13.552{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264042Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:15.769{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93ABA8F140C94410F9AB8C0D3D681F55,SHA256=3082D697136FB4F7CF4E4A42FE15F57386D516D80539E188A71BD43C597191A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264041Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:15.769{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B4911F6BE9CE567C1A53FC5FF95028B,SHA256=2AE1616D4354127D00CA0263A112897E15CB9233A1C8ABB538A8F724EABCEB44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264040Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:15.582{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2577944CFD920AAA3BA771CA09ACB46E,SHA256=9BEB99F8CB8867A9AA7B466A9289257FAD99B44CAE3E90F93F8622754CBB5677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:16.823{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520A8B83F75FE7248179443E5AF1CEDA,SHA256=3B5D2D2419F39625E696B31225D95887D65B008FAAB8C01BFA220D07189D217E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264045Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:16.629{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E4DFE305475E4D91A55D1C04224E78,SHA256=AAF739C94BAE60E579FA94A6489D525A842774C4A33E767786B531DDB7910FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:17.823{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3219437D935DCD26B3D133E3B9A6BCEB,SHA256=C71041681DAFD27690DE4D2D1D3F2764B32F36C0EEECE68D22E65D75B77C9EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264046Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:17.644{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3A72977097CD9A07A158EBCC7BF1F5,SHA256=6BD2A06D2B17EA7581EFE974C900714D003D549AC63E73B2E053BB5F5FB9C480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:18.855{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6A83650F2A91E8E20A3E7A37AD4A9E,SHA256=07769CB970E2F9B788E020EF5D12ADB5C41563278EE7FD2FA7C32B955D541EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264047Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:18.691{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F367A32624011EF11C1DC7AAD8B4AE11,SHA256=DFB9401D3E72C93CE3291F68EE868ACA4096C2A9E3FFDAF1EAA596277CD91CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:19.886{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AD3A352E8636C4B09A11FAD899CC54,SHA256=F0472763478EB21B6BA5B96098C91B1AE137992F524E77AC225238832579E138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264048Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:19.707{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E78291F4FFEE2437F69B05A20A352D0,SHA256=D2DD6C23BF342CE173A1A67A52D945BD80A8A20C6F817DEEFD5BD49F0204A051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:20.886{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508504FEFDF6D1CB8A8C7FB5FFCFBBAC,SHA256=976FE26DCBAA1458632178BFBC664D60900D3DE2F37C7250160E26211D0A150B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264076Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9678-6149-B227-00000000FC01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264075Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264074Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264073Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264072Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264071Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264070Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264069Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264068Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264067Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264066Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9678-6149-B227-00000000FC01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264065Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.894{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9678-6149-B227-00000000FC01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264064Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.895{C189DCE5-9678-6149-B227-00000000FC01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264063Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.722{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E230FB175C5878F544F5484333FF54FD,SHA256=97A50E1B9A2CEF69FAC3390DC19DEC830684988644891BA534EA669A461CFA0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:17.368{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64387-false10.0.1.12-8000- 10341000x8000000000000000264062Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.410{C189DCE5-9678-6149-B127-00000000FC01}23242520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264061Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9678-6149-B127-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264060Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264059Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264058Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264057Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264056Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264055Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264054Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264053Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264052Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264051Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9678-6149-B127-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264050Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.222{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9678-6149-B127-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264049Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:20.223{C189DCE5-9678-6149-B127-00000000FC01}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:21.948{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8F7894BDE051B924EB92DC83AC4857,SHA256=58D5E2A410661B25FA385458ED817849D7CCA20C45D2F85C7BE0C6D39877A449,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264106Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9679-6149-B427-00000000FC01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264105Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264104Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264103Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264102Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264101Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264100Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264099Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264098Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264097Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264096Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9679-6149-B427-00000000FC01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264095Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9679-6149-B427-00000000FC01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264094Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.975{C189DCE5-9679-6149-B427-00000000FC01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264093Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.972{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A321B2DDAD97741F12BC0221C3108E4,SHA256=8BC670DB1CAA323E0C295D7D4F0668FD114C98C1DF17FA4542D7BFBC905C4F46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264092Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:19.552{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000264091Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9679-6149-B327-00000000FC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264090Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264089Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264088Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264087Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264086Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264085Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264084Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264083Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264082Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264081Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9679-6149-B327-00000000FC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264080Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.426{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9679-6149-B327-00000000FC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264079Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.427{C189DCE5-9679-6149-B327-00000000FC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264078Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.238{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BB043CC0936486D006E7C5EAD212479,SHA256=33CBB474F92452B7C660285E07C42FABACD225B9B9A9C890F62D71D0676E2088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264077Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:21.238{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93ABA8F140C94410F9AB8C0D3D681F55,SHA256=3082D697136FB4F7CF4E4A42FE15F57386D516D80539E188A71BD43C597191A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264109Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:22.957{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149D194C1880F1A11CD538FA02281663,SHA256=4136232AD525D78E8509A356C0218192E61C2657E29610BDCD7BCD6C99F9FA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:22.948{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59CADDBFA8426F616895644A1FCAD895,SHA256=EF5C91D0CDAE48D6E6497F0B12BCED1533BF8113BB55FE7C7DA36445D6306FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264108Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:22.426{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BB043CC0936486D006E7C5EAD212479,SHA256=33CBB474F92452B7C660285E07C42FABACD225B9B9A9C890F62D71D0676E2088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264107Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:22.113{C189DCE5-9679-6149-B427-00000000FC01}23203052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000264110Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:23.959{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFFFD2878AABFDA68BADE70A313AE68,SHA256=1FF1CAE4A69C009AD2ECACD743F3B3FDF775E47608B5A927952AADEDB1BA10CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:23.951{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A9E31A2DCCF73354170B7DE3CFF8A3,SHA256=48F4BD46F4F25F35B130AE3188C6C70702ECDDD72396B248D06CBBDF9CBCB6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:24.966{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B713130EBB82868AAD7AB747A5F25C,SHA256=2F4CE9993F1A117DF69B12EDE06ADA68582EC0F0F9FFB6AD0558CD27AEFBF26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264125Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.990{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B1A33915346A1DD5D87895E384586F,SHA256=44FCF26578CB9AD7A26E6560D2AD62D8E531EB53EA11E666E2CCE1D27B5BC871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264124Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.537{C189DCE5-967C-6149-B527-00000000FC01}32922272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264123Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-967C-6149-B527-00000000FC01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264122Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264121Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264120Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264119Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264118Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264117Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264116Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264115Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264114Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264113Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-967C-6149-B527-00000000FC01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264112Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.349{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-967C-6149-B527-00000000FC01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264111Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:24.350{C189DCE5-967C-6149-B527-00000000FC01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000302397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:22.368{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64389-false10.0.1.12-8000- 23542300x8000000000000000264140Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.552{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C537E045D47C25AD848A23D2786B8D7,SHA256=6F3D66C327C9037BBBA139B7AF2F5E46C2C847C9489C39D0B0B8AB579B4F94F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264139Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.193{C189DCE5-967D-6149-B627-00000000FC01}31683716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264138Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-967D-6149-B627-00000000FC01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264137Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264136Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264135Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264134Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264133Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264132Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264131Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264130Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264129Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-967D-6149-B627-00000000FC01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264128Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264127Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.021{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-967D-6149-B627-00000000FC01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264126Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.022{C189DCE5-967D-6149-B627-00000000FC01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:25.998{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26436C32D6795754F60195AC04892723,SHA256=A4072B87BD092AF6FCEF8F616DB953385CF3645D297D9D92F251F7D2B7EDA971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264154Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-967E-6149-B727-00000000FC01}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264153Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264152Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264151Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264150Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264149Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264148Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264147Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264146Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264145Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264144Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-967E-6149-B727-00000000FC01}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264143Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.209{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-967E-6149-B727-00000000FC01}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264142Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.210{C189DCE5-967E-6149-B727-00000000FC01}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264141Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:26.021{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7143FD793C6D57FE80B37A3D53757F,SHA256=62EC141FD48069936E9134EA09300A21CC45C914642C24C615702BAD06180C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264156Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:27.224{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32B0D9DD6B06AD56F2A038FDC9C1D29E,SHA256=F3CA8FFB98DC204A79DA93E8A913EC66C19049EEDF1D8A8404E7476A052E16E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264155Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:27.068{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FFB08010FB83B4228BEA320D81459C,SHA256=952940A4637C48B53DE8FD91BE08C8E20CFC5B089A81AFFC6BA6AB0A9B433502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:27.013{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F791F8A68B296176FD92C10B93C620E,SHA256=D677E8BA10DCEC99A1DE9DB4598D0E0A68FAE5648690AAF84CC8A1B491212D8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264158Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:25.601{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264157Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:28.115{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3F602E732D72DF8BFE7A5AD947A8A0,SHA256=8C1BAADD05AD163F2F2EB46DB255A6631E136028C803506C928DA3BA3BEB72D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:28.716{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F5A98F59E16ECE4E42DA0E46530BFD81,SHA256=16F1A2232ED395E42ACBD2D62816F349E03942712A022CF63AAD315B77C941F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:28.045{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19104FD5B97A9AF9E34B45FDFE9D0161,SHA256=7F7D0ED3738BA29B212C193F37BA65520292609184FF4B35E0B5B3EE09AC1F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:29.091{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE9EAB37DBA079D87B8BE32CB1A9F09,SHA256=3887F96F34D9FE76429AE69D7E45A38741A244165561D5CD51E43134E4508700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264159Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:29.131{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5C6E0E1B2ADA34E9AFF4A9F6380814,SHA256=4F50723EFD9159BFB986D07CEBB06606F8AE58D580CF6F753AB2F467A3525DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:30.107{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD667FAECD20E9FC69AB5B822F2DFE56,SHA256=EC9BCB7B0D04BD0ACC7977B20A7D6619EF5584D9F2B9A197CCA110375365D389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264160Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:30.178{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807374109997E5A70615B4F290008737,SHA256=A6C8BB18D02411E37299B4E3809B316042FDF91F604BFDB78E472EAADA22700C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:28.370{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64391-false10.0.1.12-8000- 23542300x8000000000000000302404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:31.123{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE21A8BCDF1281CF35784B53CD2BB3C6,SHA256=367A5986BB387EB560DC6A1C8A0D23EE3C1A86FA3E1C7BED8259520896B0F606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264161Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:31.193{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1453B0A1AA6494404A0C9E8808DFD2,SHA256=B011C090565317BDDF5B338AA84302FEE15C26EDC86D4CAA35D5E8AEE8E31602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264162Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:32.209{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00D47CBA74613E146723AB6469C0B35,SHA256=332CBE04A619EFE5D8049B7CE1DABEFBDD612EE0C9E97377A710A45882EE99F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:32.154{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91191B7C3F77B9947A92888BC3919162,SHA256=017C261B32C7BAD28EFC7D322CCD3B2E40DB891B40A858CD3DDADF3DBC1F3300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:33.185{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34394B5EA062CC5CC5CD678D4E611035,SHA256=40D596CAD6CD496577DF39279B008E13BAE13B2D92B7BE957157543133F2EEB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264163Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:33.256{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FB19E1022DECFF01BAC7A4D8A1A340,SHA256=08E939E4B570F0CC5B9C7A54CAC375D3FCDAEC5D8CEF827240AF37152FE22CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:34.263{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7780450D0AC621EE889766AED4EB5D40,SHA256=838EE7108076850F0CF3C730513EE4EFC359BBC82D21D0BA5A0169E5FB783D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264165Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:34.271{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6258EA5D76CC001B24CE5A2A1BACA85A,SHA256=38C767109F0154F7DD8A96976440142BCD5438231CA3D174E9BAD7730C1A7E71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264164Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:31.601{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000302410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:33.480{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64392-false10.0.1.12-8000- 23542300x8000000000000000302409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:35.279{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2552E92ADB9EA3B1DB2C94D4650F66A7,SHA256=D4A28F91595E46E0F0777CCC015E30349F4DCB3641186D8599E804CD3000BFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264166Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:35.303{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A3B1FF7BEC12CEB2940D78CF5BDADD,SHA256=E660E589F83379D3581EB47F602BEBA7600C65F4E1EB50C06E5BCEBD9B501AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264168Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:36.646{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264167Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:36.318{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B98834B8D312EFF72C9121ED5EC87F0,SHA256=73F64D57000306E20CEC5A851243124EC0DCBBBD3790D1623A17B7C8666EDE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:36.763{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:36.279{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3B3040C4E3E5C6C1EACEDEEA19B2CD,SHA256=6C4E15CFBB2644300383F9D2D6E34C9FF3671D6059F6CE95FFD47B44107B014B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:36.045{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=03784A6CF877374FA3D661A47245A345,SHA256=17B494DBCEDB199B37106D8E2C7D3D205AF0EFEAF209D3E97D8A3CB900E87B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:36.029{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-4839-6148-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000264169Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:37.349{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA297DA19EDB7A1071EC2DCFC96C547,SHA256=EB95AC1D658A126173FB4C7F38A5C894BC15DE8FD64A63D4D27055E3E1EC9F50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:35.343{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64396-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000302422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:35.343{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64396-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000302421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:35.239{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-966.attackrange.local64395-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000302420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:35.239{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64395-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000302419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:35.233{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64394-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000302418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:35.233{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local64394-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 23542300x8000000000000000302417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:37.279{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4590FDEBDA4FCCFFA7496AEE4008452C,SHA256=D5261497ACA3670A015A9BEC9267600B1C26C4CA30367D8F8A34992CA8B67577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:37.029{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=958492D54B12AF038C9EC5244B8E194F,SHA256=A880FF97578C00DDCDCC311A439BDF8F5D34FA434EBAD090F206C6585DB1E7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:37.029{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=463B2A1BD88AF10089303EA85F8BE172,SHA256=C2CCBB92711A7C3E6224D41BC674B9BAAB78C0A361BD95DCD0B3093BB9C5FC2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:36.058{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64397-false10.0.1.12-8089- 23542300x8000000000000000302424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:38.295{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8314AB06F19581BC0268485BEDC37D,SHA256=49BE6FE466CD2116B53AE3EF718AB8C8C3DF7D7AAC6B32FCBCFC1FCA5602FA87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264171Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:36.101{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000264170Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:38.349{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FD5003CF68C5835F2A9A34A5E3BDCA,SHA256=E3EF6853B98EF98D80B4088A1E62D8F3133E7A44C3AF0DB7F5084650847E273E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:39.310{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DBE847BDC47521085A851CBF173043,SHA256=BA268D43D7B6DB83877998460FA54C7C6AB16AA405C10E95A15A05C3E655756E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264173Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:37.570{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264172Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:39.365{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74EFEAD94E4BFBB59C94E2BCBD1C1238,SHA256=8A77D8238A5C28869917533DE1F8802CCC00DDFA27BE8D11F5225193E2A5CBDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264174Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:40.428{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507565B736ADFD0003AED6B6C096964F,SHA256=1E06D2CBB5DECEBCB1BCD4D3BE0F0E0AE944D1AC15106F4003482BF818D1F9F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:38.479{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64398-false10.0.1.12-8000- 23542300x8000000000000000302427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:40.341{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A8B66D90C2FD3AC0E1BF6B806F11A8,SHA256=2132FA89A4D66AEF8DC048DCDC4590B93A2121E18595972AEB40D4831672B4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264175Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:41.459{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C6B98E5500A3DAADA15EEC9236DE85,SHA256=34DA8A39245D3629CCAE27D8580E7C773EC7023517FB72F951186E20439EDAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:41.373{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1975B8A8009943844E5823356A34D2,SHA256=AFC6DEA81894A49BF7024417AFBAE45177BE4146B362B18F9708F623EF3086B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:42.404{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B388EE11DF7FB48BB3AC5A36A7D8FD82,SHA256=1389B2313A7B91974EB29D32C547DC8C407DE9D4406FA6E0C8052BA545C5DC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264176Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:42.474{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4C7DED7483A01645861590C36EFA18,SHA256=A4CC3FCCAA99287914EA56FEF937AE66D8F5A2C982C15603C318F8CDBC70AB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:43.435{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4046987E5F17BA7DC2C4D282AC685CB0,SHA256=4BE24A6DE8B69D1FF26EB3D45F3D78C08D932F7088B19C26F219B0AB3855ED1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264177Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:43.521{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15AD1649C2E42CA4021120CD70E94A7,SHA256=4A2ED5EDC9D4B8BE5D04B9B74446C8D5897FF885E785A802DECC6E957B031856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264178Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:44.542{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75425AB9965790401CBDB0A8114453FE,SHA256=B9E44DEC434A930C472FFA8AE810A704E08B04F8F57E778EF1EBB460C549861C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:44.440{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3404C652F04C8969ACF80469CA32E58E,SHA256=C5FC358DB2EC460983CDF5D3EB83766F13DC5DF80046686A6F35B9C06C2C7EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264180Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:45.542{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8899DB602FDEC110A31AFE97B51679,SHA256=AF26EBFD84C9262DB9CF8DAFB31708C8B62F192E165403F3B399AB364680C8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.628{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCA767C3211E9A5E5E4C124E08F67B6,SHA256=D9D192D8718E0E6D2F0E4E9082617B1A97328E79DF42A0996D4CDFF35F326DEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000264179Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:43.543{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000302481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.565{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:45.471{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FC68AFED7F6BD4CEFBEA463CDF9169,SHA256=6BFBAAE8D61EA97F5127CE3C9E3A4F9A92454DF1A7D8A522A926DF8B2E36296D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264181Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:46.573{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C965432DF8E0978E5CE9E6DC43AD4E1,SHA256=A72218333B94F49408729950469EC9CFA168D3723F138ECD6B46411DC2462B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:46.471{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727134114E5C980DBD5F7A2A6331C880,SHA256=E9D3B8C55C3C402A0880100FBB0EC60CCF2C28E2D52B59BB01C63214DA3CF9CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264182Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:47.620{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA6449A5966008C2CB5ABD8EF5EF535,SHA256=03777807206535E539A9C146776FE7A8289C286C70BD9C5C62219093F9B6D120,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:44.422{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64400-false10.0.1.12-8000- 23542300x8000000000000000302485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:47.503{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1A183C3BF1C8EBF1301A78E00F04A9,SHA256=77750EA7E199BCC02F8212597D0F163B8CEEB16DAEF7CABFB4C4E9CA2622DD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264183Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:48.636{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674443649BE293E6ABD3EFAFB8B759CA,SHA256=AC979DD0350D1C0B14CC2BE1792ACADBB57F17E56E78B3FF8104A896CDE6D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:48.518{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590BDE299E5F2A465EBCBB9C58D6D4A4,SHA256=97BD03D6DF58D1F28FC1E183CF42B1C5F33CABBD82B5048548850DFA2D0AC466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264184Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:49.667{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CFD513DF035C96BAB31D6EA7DFB977,SHA256=D9BB96D690CAE8FA419C05CC5A89B66AF8179BFF8DB1863C9EAD878AA9B4226D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:49.534{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12068C25D95B7A287E18999D436F5CF,SHA256=2334788935167A56849101DF689E4EE8180967FBB5C71A06E1DA4DC85BFEFA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264185Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:50.682{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3102B21A326A0A1F8320D8687412BF,SHA256=C7BCF8330E45547C55BB531DD7E5BE7F61CC69A6D2E61AB08CB2F10581B3E829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:50.534{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2645E6DEB7C14A0184CB2CFF3A3BFB16,SHA256=0F0F85AE38DBEFD434FB89F00B014E630601BFD4D46D8EF345B7E336257F2E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264187Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:51.682{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D3E8FFCBA0AEE1B0EDBB28FDA289A2,SHA256=8FCA6BA18BE2972D38C11D0E6E285E16A8828B87D0A52241A1B737A2F209AF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:51.550{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDD9009DB30B1EB13EE99D784D674C0,SHA256=D360B1FDE49458A8EA6CF3C3AAA7D43D5FB5C5F96BDE482DDB98229D2EF7D965,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264186Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:49.543{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x8000000000000000302490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:51.159{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\Screens\2.png2021-09-21 08:23:51.159 23542300x8000000000000000264188Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:52.776{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6400A75459EE8ABD6EBF217BCA7760,SHA256=D09BCA3743608344678B675130BCF9F2069FD2BA17E2BC5762A263E5FCAC98DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:50.328{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64402-false10.0.1.12-8000- 10341000x8000000000000000302501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.690{5097E253-9698-6149-4A2C-00000000FB01}77127016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.581{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B51678D60B0D4784DA67177AACB2AF,SHA256=3ABBBE3A713433556E3C15A825881A01727427A29BB40D33133A3A83B002DB81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.534{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9698-6149-4A2C-00000000FB01}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.534{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.534{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.534{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.534{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.534{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9698-6149-4A2C-00000000FB01}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.534{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9698-6149-4A2C-00000000FB01}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.535{5097E253-9698-6149-4A2C-00000000FB01}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264189Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:53.839{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA62ED88E68179EB5717D82933D23DA6,SHA256=137B120B8084730A1BF4130CCCD5A68DF3DC1971708E0DC0473405EBECFF9E27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.862{5097E253-9699-6149-4C2C-00000000FB01}10202924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.721{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9699-6149-4C2C-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.721{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.721{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.721{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.721{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.721{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9699-6149-4C2C-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.721{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9699-6149-4C2C-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.722{5097E253-9699-6149-4C2C-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.612{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E517D61288D4C503C80C204606742C4F,SHA256=9F5CCDFA935B16D6122C6145A09114A0B54C7A4A6280F03A8043705D9673A3C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.096{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9699-6149-4B2C-00000000FB01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.096{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.096{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.096{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.096{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.096{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9699-6149-4B2C-00000000FB01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.096{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9699-6149-4B2C-00000000FB01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:53.098{5097E253-9699-6149-4B2C-00000000FB01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264190Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:54.854{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF465F6EC171CBE626994301A2AD1897,SHA256=897854ABEFFAC2EA8CA3AD696FD00017329314198416D2E5F076ADE6340D231E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:54.659{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22983AB9EEFE7A91A296F9E47148CDB,SHA256=0E106C9C437D4C32F817113DE1BE82BE0E5C50B2C20F90FE50A527C8225C328E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:54.550{5097E253-969A-6149-4D2C-00000000FB01}45124664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:54.393{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-969A-6149-4D2C-00000000FB01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:54.393{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:54.393{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-969A-6149-4D2C-00000000FB01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:54.393{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:54.393{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-969A-6149-4D2C-00000000FB01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:54.393{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:54.393{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:54.394{5097E253-969A-6149-4D2C-00000000FB01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000264201Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:23:55.901{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000264200Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:23:55.901{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0512575d) 13241300x8000000000000000264199Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:23:55.901{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb9-0xa2424005) 13241300x8000000000000000264198Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:23:55.901{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec2-0x0406a805) 13241300x8000000000000000264197Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:23:55.901{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aeca-0x65cb1005) 13241300x8000000000000000264196Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:23:55.901{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000264195Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:23:55.901{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0512575d) 13241300x8000000000000000264194Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:23:55.901{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb9-0xa2424005) 13241300x8000000000000000264193Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:23:55.901{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec2-0x0406a805) 13241300x8000000000000000264192Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:23:55.901{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aeca-0x65cb1005) 23542300x8000000000000000264191Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:55.886{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6046FA0619BE45E36D311F6812FC22F6,SHA256=F4BAC592A5F92F560725D39C94F5116257B99339EB05FF8084F5B16D8650522C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.737{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-969B-6149-4F2C-00000000FB01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.737{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.737{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.737{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.737{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.737{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-969B-6149-4F2C-00000000FB01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.737{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-969B-6149-4F2C-00000000FB01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.738{5097E253-969B-6149-4F2C-00000000FB01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.659{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE76A979F4ABC9C61E89A0F94C58763,SHA256=CA28285BEB6BA43096762487F44C6F3CFC8D792BD4D7687A9E0BA143CEA3B78D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.206{5097E253-969B-6149-4E2C-00000000FB01}1367584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000302539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:52.234{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59481- 10341000x8000000000000000302538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.065{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-969B-6149-4E2C-00000000FB01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.065{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.065{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.065{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.065{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.065{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-969B-6149-4E2C-00000000FB01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.065{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-969B-6149-4E2C-00000000FB01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.066{5097E253-969B-6149-4E2C-00000000FB01}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264202Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:56.917{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5611054243816591C8A50A1E9E94DE,SHA256=C031E4CA5D4E17B0BDD1E433048D896DAD46152B794899A01348607B4DCAB51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:56.675{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856789D47E4328C89C277C9AEB5AB5EA,SHA256=19FFB5258AA194BEB1DFF235BD89DBDC7FA2FB69BC790D00EEC09977DD3F3814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264204Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:57.948{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E70CCEE4EE470B77EA87D4474313DF,SHA256=68CE105590C859F0620389FF7EE2F12483639BAE8F4D911425BCF65366D61464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:57.706{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEB963E4AE58F312471BC6D85726247,SHA256=7004110C3F0A9A51945A67E6C83EFC52C5265D6542BA031C325582ED49D43B9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264203Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:55.527{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264205Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:58.964{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED1BC1AF5A40E3ACDE299DC40C81B66,SHA256=B59D71DE54E765AC0252E30EF7FA90EC7C5E4B1C9F708C14359FC74CF1450BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:58.737{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E897EFB4C8E90C5F4E22715D7A555F3,SHA256=E7C528A0A1E1975868BF2628058681AFDCAAA64D586C1B25B13D79A646519BC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:56.000{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64405-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000302553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:56.000{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64405-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000302552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:55.547{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64404-false10.0.1.12-8000- 23542300x8000000000000000264206Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:23:59.979{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9684CD8AB0C8BB8F49D45B1AA321D16B,SHA256=AD683B265F740E248BB7F82A4C9160D8D86F8C359936934148677A45571049D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:59.800{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48EA6581B3C99F0F57CA7DA5E388A03,SHA256=3A774D6BD78F2EA7ED972AD5F17A494B7FD96E68DE00395849C2F2CFD5DCC073,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:59.784{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-969F-6149-502C-00000000FB01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:59.784{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:59.784{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:59.784{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:59.784{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:59.784{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-969F-6149-502C-00000000FB01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:59.784{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-969F-6149-502C-00000000FB01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:23:59.785{5097E253-969F-6149-502C-00000000FB01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000302565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:00.815{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF58109441871363084F9C4249F2173,SHA256=CDE0715CCFF509622D160296A34FB16E2B3BCB0D46147676AB933B1757905132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:01.831{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E240877BB571528EB1202B2DA64DCE0D,SHA256=4591EACA49E1A89AE07E14981B937AD7D49D1E05A146CA3460CB482E3C02AB16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264207Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:01.011{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61678719E04500B83FB0C4936CDC7A0A,SHA256=C4D00CACCEF05F5810BEC9F91509054FF702AE243849566BC648BD6F06F0973A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:02.847{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8B8666C3BD094B3068AA9227EC7569,SHA256=995222F358AD20AE3BE88B179495BF4C39E1EF7731E2A28BF6E3FBDC8483EBDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264209Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:00.605{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264208Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:02.011{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136670AB0D92F93841D3028FFF037FBA,SHA256=A0B0C306AF49C2ACCB3AC69A9121B6918CA1062241B5198836BFD3F05335B370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:03.862{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A25DE2148FC02B4464C950D81820756,SHA256=A5438E488DA6CB6E2794ECF690698A506CB796321DFF85BD826BC98F1B804FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264211Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:03.339{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=825F4BFFBBF123B3200CC5571B654A3C,SHA256=C07F17DB7303008800DDCB1CD48F0E01946044BE1E6D4BACFB2B5E73D4CC5671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264210Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:03.057{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBB43679DF82D1379301C0DEDC75A6E,SHA256=588A4DA417DE98F9B53CFB6FC1E39C9CEF18852C685A56D4024BC36C710BF9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:04.865{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F238925E92D86397AB9D18C60CEC2CFD,SHA256=E887465A7389A33D32597912AF983EC64027F83806AE9F0576430F91A7EA06AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264212Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:04.061{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44909E05C8A3A7621B6BE62094D599D3,SHA256=F2D4D7E15E64C0CC92D7F54BCD07EDA3D7518C5408F72376E359E0DEDFD54267,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:01.344{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64407-false10.0.1.12-8000- 23542300x8000000000000000302572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:05.897{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B2A58EF7B82740E66BFC7FA580810F,SHA256=0E1B6219CB62DDDAAB6CCA4F3BB46D82E0B0087782F82891BAEDA2178BD7596D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264213Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:05.077{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EAE0E160DC9357A59A5B9AF8790D29,SHA256=2334EB3199DAC2D83E675EC9C4A65FC8F1DE461BAEEB4986C11F5E49F8ECFC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:05.400{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1390MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:06.929{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFCE2BEB9F30340AA5146BDBD28E2A5,SHA256=10EC8512B35176CA881FDE395EDA465A002F6570883B903728E1C6628E432C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264214Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:06.092{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BFAFFE4220AD40C0EB9B6373A37398,SHA256=EDC6D1E66913979392CDE98F592508F1278E83A306D48331D4B5A407923C8718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:06.414{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1391MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:07.930{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64ABAEE59924EF462EE9B97892FB1700,SHA256=465B46034F2ECFAD598E4176CBCD89220AC15DA26FDF4CE262A9033C1E5780F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264215Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:07.108{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F5F6AFC590D43138CCC9D91D15DEBD,SHA256=A930C1E512325AE48440BD2184A8A431EA4DCFB63B1577B3C253DE20242D1BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:08.946{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42323BFB0F27E81C2351F9859338774,SHA256=FAF96314DF29A87DF624911F042F16F0FEE44591F35940F916ABA9F4A0956600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264217Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:08.124{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D716CF13E2260EFC508220F5650E303,SHA256=4CA820C416CC1E79F7D89B282D2C8EBDA773D2B0F3A437AEA47F22913160CFFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264216Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:05.703{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000302578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:09.962{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CD8C78B777E39777B4950FAC4EF0BC,SHA256=AF670FAF031AECF671A9768F7FD951F708B01D9BEB1EF3C86CA110D7F15D0986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264218Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:09.139{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97FAF4477CAB0A04EFBB95B1669CB70,SHA256=E6DA6BBFA5F4A406FF08584A7632161B96F0A74855640D0F6621C45299914AA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:06.474{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64409-false10.0.1.12-8000- 23542300x8000000000000000302579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:10.977{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D61BBE5F941A35DAE724B1D5E610EED,SHA256=DAF985BAE109667E4BF357E90302738F14A8CFDF32AF01E5D2B1F5DEFF84FDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264219Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:10.139{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4384923AF4CD483390647EDF92DA25,SHA256=B9F2AC09CDB56AE74CF273E8C6E269AA9473E3D507D194444BFB57D19C5ECB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264220Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:11.155{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C38EFB29217975C20A69A8A6CA1D90F,SHA256=408E96B1D6AF45D5F284859511391DC5F67BB71FC4F00014E49CFAAD8B425C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264222Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:12.564{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1382MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264221Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:12.156{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75EDC198EB1E1B64E88AF4670BCF0BF,SHA256=E12AD553727868CAADBA09DA82A90E61146B65967EA11412AE7A350BCD2C2742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:12.008{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC252A232CDBD1CAE5B7E034AD980199,SHA256=3A7B1854B534D01EBAA0497BEB26A29B0C663DDB5513BBFFF02145A0FC72BC44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264225Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:13.564{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1383MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264224Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:11.610{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264223Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:13.156{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45201C50F9AE9CF0AD3579036C04A98,SHA256=26311CB12B751A690823055EC6009573B4B1AD8413E51550466C27320D732654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:13.040{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9EC17BC34FA5A81657D640C17E2D1A,SHA256=F917309396788BCAB8593FB4F81BBB94DAFF1DBC47A9C652A97E647F0E83116D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264226Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:14.157{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8EB2ABC74E13CCCCCDCF605CFDF9C7,SHA256=77A4056C49968C539BFDA7691DA904AB998B0F1702E61AAADB257376CE95B7C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:11.553{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64411-false10.0.1.12-8000- 23542300x8000000000000000302582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:14.040{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311E926651423DAB072936DE3382EBB6,SHA256=B884B17AE965FDB76CDF8DC8E40183C8A3A6CD21C2EE1A25A340F5F36100A1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264227Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:15.173{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0395828C1E8E822621BD9B3716F9A2E,SHA256=786E842910688DD5EEE9A49030BBAF5907ABD29CCE43ED1CF0F13F3E52268DF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:11.897{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000302584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:15.071{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA22E1C9C5F22CD15EEA474952A2B7F8,SHA256=682329501F653A67E11E1365C606B0CC3919F349200E1BABE7A6476CD52C0135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264228Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:16.189{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7EA74033A4BE9683C093CAFF805A37,SHA256=B35F4BC972D020300C4831FE2570409802647A77B4DE205AA7216F3EC0B43056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:16.102{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD7E4FAE67D4F405237CA837A43F89F,SHA256=EFE39C6A3C2752AB58EB26A778E0494F6AC58D3C470A015A588630DBE325B314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264229Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:17.204{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1556AF94144CFF8BA133E23190DCB45B,SHA256=0DBF2FC96D92888B098C1ABD73100B83D1CF3EE968C25FCA2D416DEBA7638752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:17.118{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50FA748751A64E02485C3889251E9EF,SHA256=724A2113A177086B74B72E5DF70A348C1AD262B7A7E24A5ED1A030B90CAD9718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:18.165{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CF0181C384AEAC60F461ED16DAE4F3,SHA256=83054920FF5013E7660B6F1268E331E53021427C7F68701FDE2FD8D432FC78A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264231Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:16.627{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264230Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:18.220{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF851C92EC9AD2EB223C7CC68D85B6D,SHA256=3CEDB436C6049F9CC58B9373822E2EB681B2C13F2AA96AC30A72201781C89DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264232Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:19.236{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA7E9F06A6021A31CE4865778B766D2,SHA256=A0A418031F8E5427AEF01DAD5D8B577FC8078C0F9C20D15BC7306ADD839404CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:17.318{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64413-false10.0.1.12-8000- 23542300x8000000000000000302589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:19.180{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AAEB324374FDFEA0D6B61A6410C89A,SHA256=2675546DDF24EBDF49DED6C86606A861977877679FFE0F9360F181A8A1560B66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264261Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.907{C189DCE5-96B4-6149-B927-00000000FC01}2668224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264260Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96B4-6149-B927-00000000FC01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264259Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264258Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264257Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264256Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264255Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264254Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264253Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264252Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264251Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264250Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-96B4-6149-B927-00000000FC01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264249Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.736{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96B4-6149-B927-00000000FC01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264248Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.737{C189DCE5-96B4-6149-B927-00000000FC01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000264247Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.454{C189DCE5-96B4-6149-B827-00000000FC01}5721820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264246Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96B4-6149-B827-00000000FC01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264245Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264244Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264243Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264242Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264241Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264240Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264239Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264238Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264237Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264236Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-96B4-6149-B827-00000000FC01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264235Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96B4-6149-B827-00000000FC01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264234Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-96B4-6149-B827-00000000FC01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264233Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:20.236{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F60DA413678521204E347F938F435D7,SHA256=B56E09D1C4207FF788DDCCD64E3CB1CFCF1008E28CD09EAF6D02ADA4EF93289E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:20.196{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBB9B4F3CA53EFB3FD7DE4748E3767E,SHA256=3F7F6CB00AE97102C216BBBB727CA7FA535EDF5139FCBB2A707013547DA497BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264277Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.548{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB5DFE31E7D0B876A5231842A1FF758,SHA256=48720C33A4EB2DECFCCB1F884A8E6976E06D37C9F58D1193DB032033B7BF4CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264276Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96B5-6149-BA27-00000000FC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264275Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264274Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264273Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264272Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264271Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264270Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264269Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264268Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264267Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264266Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-96B5-6149-BA27-00000000FC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264265Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.407{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96B5-6149-BA27-00000000FC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264264Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.408{C189DCE5-96B5-6149-BA27-00000000FC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264263Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.251{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EB5679489F5FC3218513C13EB4405D3,SHA256=C8FABE0246C9FB4F3B958382DC428FC77936840F4E8397D1DA74BF83C7A70A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264262Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:21.251{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D20A8668E56D5AD0BD35EA0D707AFD39,SHA256=2AEDC1FD053A3BAA640BDF86037B545B16F497499E2C67E829E02D06E523434E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.790{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-96B5-6149-522C-00000000FB01}7144C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.790{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-96B5-6149-522C-00000000FB01}7144C:\Program Files\Google\Chrome\Application\chrome.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:21.774{5097E253-96B5-6149-512C-00000000FB01}7848\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.774{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-96B5-6149-522C-00000000FB01}7144C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.774{5097E253-96B5-6149-512C-00000000FB01}78487272C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B5-6149-522C-00000000FB01}7144C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome_elf.dll+32469|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome_elf.dll+316f3|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome_elf.dll+30740|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome_elf.dll+2f1fc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome_elf.dll+2f4a7|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome_elf.dll+338b1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome_elf.dll+288be|C:\Program Files\Google\Chrome\Application\chrome.exe+a82bb|C:\Program Files\Google\Chrome\Application\chrome.exe+10f8e2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.774{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96B5-6149-522C-00000000FB01}7144C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000302604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:21.774{5097E253-96B5-6149-512C-00000000FB01}7848\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.743{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000302602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDBSetValue2021-09-21 08:24:21.743{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exeHKU\S-1-5-21-1292086698-2133823296-1489611813-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Google\Chrome\Application\chrome.exeBinary Data 10341000x8000000000000000302601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.743{5097E253-483D-6148-1300-00000000FB01}920952C:\Windows\System32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.743{5097E253-483D-6148-1300-00000000FB01}920952C:\Windows\System32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.743{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.743{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.743{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.743{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.743{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.743{5097E253-8792-6149-AA29-00000000FB01}48165024C:\Windows\Explorer.EXE{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\windows.storage.dll+10932|C:\Windows\System32\windows.storage.dll+10629|C:\Windows\System32\windows.storage.dll+104ff|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c 154100x8000000000000000302593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.731{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe93.0.4577.82Google ChromeGoogle ChromeGoogle LLCchrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=AF139BB54430545D08E2AF3BAB125223,SHA256=61689DCF380E19F56E253F438B76537A6D332B20302278FB719E5F868587E58E,IMPHASH=891D2BAFA4260189E94CAC8FB19F369A{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000302592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:21.196{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A7EB25C55697225CBDE30700E70C76,SHA256=2F6D29F19A8B0A61B2866BD0AADD65E6058010CA3AD7028F305A3E6A43FE9D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264292Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.689{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EB5679489F5FC3218513C13EB4405D3,SHA256=C8FABE0246C9FB4F3B958382DC428FC77936840F4E8397D1DA74BF83C7A70A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264291Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.689{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F02979CC614D93A30F3CA516957278,SHA256=A769AB10CF2219C1F28A3FC554235AB330A29EC934145AA9A2623405F568EAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:22.759{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=458DB160C24EE999B25CE1FF39569F79,SHA256=170342ED3D23945F48123E267647599DBF98248AEFF120357750BA94D5577B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:22.759{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=958492D54B12AF038C9EC5244B8E194F,SHA256=A880FF97578C00DDCDCC311A439BDF8F5D34FA434EBAD090F206C6585DB1E7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:22.212{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9887CCBF6DDE5CE52D8078B74DAA8390,SHA256=9B09E228352CE19D2DC2CDB35C55BF85005B98123FE4C8DDF196E58CA1396DA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264290Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96B6-6149-BB27-00000000FC01}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264289Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264288Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264287Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264286Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264285Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264284Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264283Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264282Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-96B6-6149-BB27-00000000FC01}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264281Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264280Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264279Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.079{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96B6-6149-BB27-00000000FC01}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264278Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.080{C189DCE5-96B6-6149-BB27-00000000FC01}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264293Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:23.689{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBB7F3E152F7C6D73683B465DCFF511,SHA256=53A65E5EA9FB4B3C4A99B144C198E56B4C4064F37A7A3E2E259EA7D38D60610B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.952{5097E253-96B5-6149-522C-00000000FB01}71446816C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-5A2C-00000000FB01}1104C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.952{5097E253-96B7-6149-5A2C-00000000FB01}1104\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.951{5097E253-96B5-6149-522C-00000000FB01}71446508C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-592C-00000000FB01}7540C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.951{5097E253-96B7-6149-592C-00000000FB01}7540\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000302740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.939{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.11007891055891170334C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.939{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.11007891055891170334C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.935{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-96B7-6149-5A2C-00000000FB01}1104C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.935{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-5A2C-00000000FB01}1104C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.934{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96B7-6149-5A2C-00000000FB01}1104C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.933{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.4855559500042328867C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.933{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.4855559500042328867C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.930{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-96B7-6149-592C-00000000FB01}7540C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.930{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-592C-00000000FB01}7540C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.930{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96B7-6149-592C-00000000FB01}7540C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.929{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.9785351661508327771C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.929{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.9785351661508327771C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000302728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.929{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.16293370264111806272C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.929{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.16293370264111806272C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000302726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.926{5097E253-96B7-6149-542C-00000000FB01}5960ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005MD5=7BEEBF9CC5C804642EA4DDC187C11508,SHA256=2CDC4D1D8089A50964C66B5482B74C2B756C4242FCD839D07509E07E5BAE62BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.863{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.863{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.863{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.863{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.863{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.863{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.862{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.762{5097E253-96B5-6149-522C-00000000FB01}71446816C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.762{5097E253-96B7-6149-582C-00000000FB01}7872\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000302716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.720{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.9678015239970623858C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.720{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.9678015239970623858C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000302714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.715{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9538C5A9143919D9A336162FD8615853,SHA256=7BAAD505E3BB96BF09A56CD84336BAD6E37D1FF7B75D4C57500EBA89BA2D4BF9,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000302713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.708{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.8867300154096065507C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.707{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.8867300154096065507C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.703{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.703{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.703{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96B7-6149-582C-00000000FB01}7872C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.700{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.15953331085773512906C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.700{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.15953331085773512906C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000302706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.688{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.17344675601606772758C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.688{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.17344675601606772758C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.681{5097E253-96B5-6149-512C-00000000FB01}78487272C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-532C-00000000FB01}4684C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+127e839|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+127e783|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3111190|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+10548eb|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+27b52b4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+292bb64|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8fc0d7|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8f9dff|C:\Program Files\Google\Chrome\Application\chrome.exe+a92e0 10341000x8000000000000000302703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.671{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-96B7-6149-532C-00000000FB01}4684C:\Program Files\Google\Chrome\Application\chrome.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.646{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB8D3AAC86C5E3EC7994F09FC69DC16,SHA256=A1F49CE01A342802B2781B9388B37C74B284C6935DDA2915A30D440E02CADD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.566{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Trusted Vault~RF51a9e72.TMPMD5=378B4E1AC1334326E3DCCF8E10E2C1F1,SHA256=03AD881B33D53412C0670140A05AB34CC0186756E3C26CEC1AEBB7FABF7142EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.524{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF51a9e43.TMPMD5=9BED094B679E741A44F5AE6B4A6FFA01,SHA256=C5B48068F736170FDCE7588459800B2E4CB0C6431D60F566FAD3844557C2C4BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.520{5097E253-96B5-6149-512C-00000000FB01}78483632C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+8ba04|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+162b7d8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+162b6d6|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3789557|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3787c6a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d5c8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.519{5097E253-96B5-6149-512C-00000000FB01}78483632C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+8b9ba|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+162b7d8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+162b6d6|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3789557|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3787c6a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d5c8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.519{5097E253-96B5-6149-512C-00000000FB01}78483632C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+8b9ba|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+162b7d8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+162b6d6|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3789557|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3787c6a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d5c8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.471{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\todelete_682a2c4f579b49c2MD5=A76075CCB5AAA9F741FEAFE27656A1BE,SHA256=96664C6A7242367C80D5ADD2B95EECA0A3C20197828904F1E91449AF5E9E8A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.471{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=458DB160C24EE999B25CE1FF39569F79,SHA256=170342ED3D23945F48123E267647599DBF98248AEFF120357750BA94D5577B31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.460{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.455{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.455{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.455{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.455{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.445{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876A504064B95C89CBC666852BF44E47,SHA256=A0351F2EEF5957000D832D0F40AAA5D5EED43775FC6333FC6B124CE927B32434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.415{5097E253-96B5-6149-512C-00000000FB01}78487432C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000302674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.383{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logMD5=A9A0B44191D5DE9ACA31FB4D82279A8D,SHA256=C4EEC06CDCB5A92BDB3FC8FFBA868068EE79CF3B96D57B89A35AA004CFE46698,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.368{5097E253-96B5-6149-522C-00000000FB01}71446508C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.368{5097E253-96B7-6149-572C-00000000FB01}5632\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.368{5097E253-96B5-6149-522C-00000000FB01}71446816C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.368{5097E253-96B7-6149-562C-00000000FB01}6892\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000302669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.368{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.7606516894094630671C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.368{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.7606516894094630671C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.368{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.368{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.368{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96B7-6149-572C-00000000FB01}5632C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.352{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.6743235722282323670C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.352{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.6743235722282323670C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.352{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.352{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.352{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96B7-6149-562C-00000000FB01}6892C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.352{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.13825403514555656015C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.352{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.13825403514555656015C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000302657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.352{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.17862429998852239092C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.352{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.17862429998852239092C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.305{5097E253-96B7-6149-542C-00000000FB01}59606336C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+7605ac|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+75f530|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+292b4af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8fc0d7|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8f9dff|C:\Program Files\Google\Chrome\Application\chrome.exe+a92e0|C:\Program Files\Google\Chrome\Application\chrome.exe+a8e97|C:\Program Files\Google\Chrome\Application\chrome.exe+10f8e2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.305{5097E253-96B5-6149-522C-00000000FB01}71446508C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-552C-00000000FB01}5952C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.305{5097E253-96B7-6149-552C-00000000FB01}5952\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.290{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.290{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.274{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.9944041139764975855C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.274{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.9944041139764975855C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.274{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-96B7-6149-552C-00000000FB01}5952C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.274{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-552C-00000000FB01}5952C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.274{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96B7-6149-552C-00000000FB01}5952C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.274{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.15338226118741140653C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.274{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.15338226118741140653C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.274{5097E253-96B5-6149-522C-00000000FB01}71446816C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.274{5097E253-96B7-6149-542C-00000000FB01}5960\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.274{5097E253-96B5-6149-522C-00000000FB01}71446508C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-532C-00000000FB01}4684C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.274{5097E253-96B7-6149-532C-00000000FB01}4684\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000302639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.258{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Last VersionMD5=2722C8D6371682BC07D01E071A6E7A01,SHA256=3CD695F4B43FC4D62B046C7BFC0781358AA38A9320E0C2CE215B5ED981A99A82,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000302638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.258{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.5007990931254594654C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.258{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.5007990931254594654C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.258{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.258{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+90fd6|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+906fa|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29ce45c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.258{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.258{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.10898875955383647569C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.258{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.10898875955383647569C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000302631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.258{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.10640387259277433933C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.258{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.10640387259277433933C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.258{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.258{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.258{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-96B7-6149-532C-00000000FB01}4684C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.258{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B7-6149-532C-00000000FB01}4684C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.258{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96B7-6149-532C-00000000FB01}4684C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:23.243{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.2947989880780739994C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:23.243{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.2947989880780739994C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.243{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.243{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.243{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.227{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.227{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.227{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBC252FCEF3F623907B887E3AF9D8AF,SHA256=A3B67CAD8911D586BCA1A2F6BEC95D21CA10CF3DA669E256125AED6951E3BB4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.212{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.196{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.196{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264322Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96B8-6149-BD27-00000000FC01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264321Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264320Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264319Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264318Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264317Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264316Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264315Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264314Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264313Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264312Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-96B8-6149-BD27-00000000FC01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264311Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.957{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96B8-6149-BD27-00000000FC01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264310Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.958{C189DCE5-96B8-6149-BD27-00000000FC01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000264309Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:22.643{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264308Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.707{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86541F0DD48D228F28008A412C400C35,SHA256=060D3D967538E38F91106AD55220DF3CD5A38B51268DDEFC0CB499274C136009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:24.739{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBF7AB3A44CB87622D28AE88C52E5378,SHA256=D419BE9763452113F830E5313E20D5DF443C67A3E8A2CAF6C1F10520C91FB326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:24.736{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B31145A1512051559CA58DF61AB711B,SHA256=85C7A39F78F290EC6D63B98D745D2E74FE40FBF0D217D239E09FCD523ADE4A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:22.832{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local61292-false239.255.255.250-1900ssdp 354300x8000000000000000302755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:22.826{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local61291-false172.217.16.141fra15s46-in-f13.1e100.net443https 10341000x8000000000000000302754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:24.718{5097E253-484A-6148-2800-00000000FB01}29043084C:\Windows\sysmon64.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:24.718{5097E253-484A-6148-2800-00000000FB01}29043084C:\Windows\sysmon64.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000302752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:22.799{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local53023-false142.250.185.163fra16s51-in-f3.1e100.net443https 10341000x8000000000000000302751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:24.717{5097E253-484A-6148-2800-00000000FB01}29043084C:\Windows\sysmon64.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:24.717{5097E253-484A-6148-2800-00000000FB01}29043084C:\Windows\sysmon64.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000302749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:22.794{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52372- 354300x8000000000000000302748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:22.791{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61620- 354300x8000000000000000302747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:22.521{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local64414-false10.0.1.12-8000- 10341000x8000000000000000264307Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.520{C189DCE5-96B8-6149-BC27-00000000FC01}36163404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264306Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96B8-6149-BC27-00000000FC01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264305Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264304Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264303Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264302Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264301Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264300Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264299Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264298Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264297Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264296Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-96B8-6149-BC27-00000000FC01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264295Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.347{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96B8-6149-BC27-00000000FC01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264294Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:24.348{C189DCE5-96B8-6149-BC27-00000000FC01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x8000000000000000302746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:24.035{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.118510356557478259C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000302745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:24.035{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.118510356557478259C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000264325Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:25.800{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5908C2C2432F83288B958C578DD19DE,SHA256=6DFEC4BEEA385B8BDB8F2CF7980366B35B1506A611059F4132FB2D31E0912654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:25.746{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB7D8E7984766664E3646BC016E397E,SHA256=8679F3A1BBBFF1215BE2625BB0C8642E968DE4EBE78FC0311BE37635651F6A76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.124{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63177- 23542300x8000000000000000264324Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:25.394{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F859DCBC08D9349E162EC3573A937CB2,SHA256=F05A7B82BDE6F4266A0F3EB9D5C4153FCB6892D7783A9865B2B7F71CEB09CDFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264323Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:25.082{C189DCE5-96B8-6149-BD27-00000000FC01}21761448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.918{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92A3BD3A82B74D362F72B0F561132B34,SHA256=0A7A4012567A8506A14D5E30B88B4310859BFF5C6CB9AACA99966E623AF0D84F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.918{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822ECF62A0B4FEA25C7F30A9641CDD41,SHA256=6052E7ED6FE82635EA2D2DB9FB08A38B01E41DCC96C0DAB6A4171DA1CCFB9DC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000302805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.809{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60056- 354300x8000000000000000302804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.809{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60186- 23542300x8000000000000000264339Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.816{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2834909169C352D3CA2C3CD6E5CD13,SHA256=794F300E85919E3A778E5C008593289E81A12CD72D9312C19CEF16656F3596D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264338Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96BA-6149-BE27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264337Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264336Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264335Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264334Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264333Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264332Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264331Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264330Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264329Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264328Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-96BA-6149-BE27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264327Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96BA-6149-BE27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264326Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:26.207{C189DCE5-96BA-6149-BE27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000302803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.131{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57978-false142.250.181.228fra16s56-in-f4.1e100.net443https 10341000x8000000000000000302802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.528{5097E253-484A-6148-2800-00000000FB01}29043084C:\Windows\sysmon64.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.528{5097E253-484A-6148-2800-00000000FB01}29043084C:\Windows\sysmon64.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000302800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.125{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local58868-false142.250.181.228fra16s56-in-f4.1e100.net443https 10341000x8000000000000000302799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.528{5097E253-484A-6148-2800-00000000FB01}29043084C:\Windows\sysmon64.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.528{5097E253-484A-6148-2800-00000000FB01}29043084C:\Windows\sysmon64.exe{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000302797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.815{5097E253-96B7-6149-542C-00000000FB01}5960www.google.com0142.250.181.228;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x8000000000000000302796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.514{5097E253-96B7-6149-542C-00000000FB01}5960accounts.google.com0172.217.16.141;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x8000000000000000302795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:23.483{5097E253-96B7-6149-542C-00000000FB01}5960wpad9003-C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000302794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48163976C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48163976C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+11d44|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+11d44|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48164860C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.388{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.371{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.371{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.371{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.356{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BA-6149-5B2C-00000000FB01}4136C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7376|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.340{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.340{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.340{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.340{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.340{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.340{5097E253-96BA-6149-5B2C-00000000FB01}41365132C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+8b85|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.343{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2MediumMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-96BA-6149-5B2C-00000000FB01}4136C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000302770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.340{5097E253-96BA-6149-5B2C-00000000FB01}41365132C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7376|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.325{5097E253-483D-6148-1300-00000000FB01}920952C:\Windows\System32\svchost.exe{5097E253-96BA-6149-5B2C-00000000FB01}4136C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.325{5097E253-483D-6148-1300-00000000FB01}920952C:\Windows\System32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.325{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.325{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.325{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-96BA-6149-5B2C-00000000FB01}4136C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.325{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.325{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.309{5097E253-8792-6149-AA29-00000000FB01}48165584C:\Windows\Explorer.EXE{5097E253-96BA-6149-5B2C-00000000FB01}4136C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\windows.storage.dll+10932|C:\Windows\System32\windows.storage.dll+10629|C:\Windows\System32\windows.storage.dll+104ff|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c 154100x8000000000000000302761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.319{5097E253-96BA-6149-5B2C-00000000FB01}4136C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000264341Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:27.832{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BB45CA9F84D779FE03752DED60E7B4,SHA256=4C4377D1497264315EA85A0228AC1CE9C0B95AEAD1692B13AA4BAAF24DE5814C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.997{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.981{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.981{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.981{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.981{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000302962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:27.981{5097E253-96BA-6149-5C2C-00000000FB01}7760\cubeb-pipe-7760-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000302961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:27.981{5097E253-96BA-6149-5C2C-00000000FB01}7760\cubeb-pipe-7760-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.981{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c 23542300x8000000000000000302959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.981{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.966{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.966{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000302956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:27.966{5097E253-96BA-6149-5C2C-00000000FB01}7760\cubeb-pipe-7760-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000302955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:27.966{5097E253-96BA-6149-5C2C-00000000FB01}7760\cubeb-pipe-7760-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.966{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:27.966{5097E253-96BB-6149-5D2C-00000000FB01}5892\chrome.7760.4.18511713C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.966{5097E253-96BA-6149-5C2C-00000000FB01}77604660C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000302951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:27.966{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.4.18511713C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.966{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:27.966{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.2.81562900C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.950{5097E253-96BA-6149-5C2C-00000000FB01}77607424C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:27.950{5097E253-96BA-6149-5C2C-00000000FB01}7760\gecko-crash-server-pipe.7760C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.950{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:27.950{5097E253-96BB-6149-5D2C-00000000FB01}5892\chrome.7760.3.80757185C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.950{5097E253-96BA-6149-5C2C-00000000FB01}77604660C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000302943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:27.950{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.3.80757185C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.950{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:27.950{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.1.45429622C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.950{5097E253-96BA-6149-5C2C-00000000FB01}77607424C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:27.950{5097E253-96BA-6149-5C2C-00000000FB01}7760\gecko-crash-server-pipe.7760C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147 10341000x8000000000000000302937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x8000000000000000302936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000302923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8 10341000x8000000000000000302922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x8000000000000000302921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x8000000000000000302920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f 10341000x8000000000000000302919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147 10341000x8000000000000000302918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-96BA-6149-5C2C-00000000FB01}77604660C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.903{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.888{5097E253-96BA-6149-5C2C-00000000FB01}77605700C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.902{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7760.2.815629003\1879514923" -childID 2 -isForBrowser -prefsHandle 3308 -prefMapHandle 3304 -prefsLen 5710 -prefMapSize 244994 -jsInit 1188 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 7760 "\\.\pipe\gecko-crash-server-pipe.7760" 3320 1b608f03f38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000302910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:27.888{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.2.81562900C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000302909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.872{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.841{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.825{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000302896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.794{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 10341000x8000000000000000302895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.794{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 10341000x8000000000000000302894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.794{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 23542300x8000000000000000302893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.794{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000302890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000302889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000302888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000302887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000302886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000302885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x8000000000000000302884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x8000000000000000302883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x8000000000000000302882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000302881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000302880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000302879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.778{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.773{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(000002E98D871E84) 10341000x8000000000000000302876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.772{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(000002E98D871E84) 10341000x8000000000000000302875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.771{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(000002E98D873E5F) 10341000x8000000000000000302874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.771{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b52aff|C:\Program Files\Mozilla Firefox\xul.dll+73e84|C:\Program Files\Mozilla Firefox\xul.dll+12470d8|C:\Program Files\Mozilla Firefox\xul.dll+8ad21|C:\Program Files\Mozilla Firefox\xul.dll+8ac78|C:\Program Files\Mozilla Firefox\xul.dll+abdcbe|C:\Program Files\Mozilla Firefox\xul.dll+8723f|C:\Program Files\Mozilla Firefox\xul.dll+c2fb2b|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+1bb4759|C:\Program Files\Mozilla Firefox\xul.dll+1b5f3a6|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+19eeeaf 23542300x8000000000000000302873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.741{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.734{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+313dfc|C:\Program Files\Mozilla Firefox\xul.dll+faff25|C:\Program Files\Mozilla Firefox\xul.dll+bfb6f4|C:\Program Files\Mozilla Firefox\xul.dll+3136cd|C:\Program Files\Mozilla Firefox\xul.dll+399c9b|C:\Program Files\Mozilla Firefox\xul.dll+39949d|C:\Program Files\Mozilla Firefox\xul.dll+be61ca|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173 10341000x8000000000000000302871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.733{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+faf7f0|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049|C:\Program Files\Mozilla Firefox\xul.dll+f0bc7f 10341000x8000000000000000302870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.731{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.716{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.716{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b5f85d|C:\Program Files\Mozilla Firefox\xul.dll+b6f7fa|C:\Program Files\Mozilla Firefox\xul.dll+b4ce69|C:\Program Files\Mozilla Firefox\xul.dll+b625a0|C:\Program Files\Mozilla Firefox\xul.dll+1a1a5c2|C:\Program Files\Mozilla Firefox\xul.dll+19205a2|C:\Program Files\Mozilla Firefox\xul.dll+191e8cd|C:\Program Files\Mozilla Firefox\xul.dll+3858d8|C:\Program Files\Mozilla Firefox\xul.dll+fb7376|C:\Program Files\Mozilla Firefox\xul.dll+fb6c0d|C:\Program Files\Mozilla Firefox\xul.dll+fb6e03|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457 10341000x8000000000000000302867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.715{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x8000000000000000302866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.684{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.668{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d 10341000x8000000000000000302864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.668{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x8000000000000000302863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.668{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82 10341000x8000000000000000302862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.668{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca 10341000x8000000000000000302861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.668{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x8000000000000000302860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.668{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x8000000000000000302859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.668{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d 10341000x8000000000000000302858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.653{5097E253-96BA-6149-5C2C-00000000FB01}77604660C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.653{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.653{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.653{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.653{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.653{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.653{5097E253-96BA-6149-5C2C-00000000FB01}77605700C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.661{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7760.1.454296225\223113187" -childID 1 -isForBrowser -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 697 -prefMapSize 244994 -jsInit 1188 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 7760 "\\.\pipe\gecko-crash-server-pipe.7760" 2156 1b606e5f738 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000302850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:27.637{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.1.45429622C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.637{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 10341000x8000000000000000302848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.637{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 10341000x8000000000000000302847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.637{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 354300x8000000000000000302846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:24.811{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53455- 23542300x8000000000000000302845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.512{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.512{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.496{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cookies.sqlite-journalMD5=D2BE08DB5E042741B774F0B5AAD5519F,SHA256=029D0670599D9A1DC30C04D61921A333C9112B9BC3476F731DEF61905B35EA58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.496{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.496{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.496{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.496{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.496{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.496{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.496{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.496{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.496{5097E253-913C-6149-832B-00000000FB01}68727692C:\Windows\System32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+12932|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+45ff|c:\windows\system32\audiosrv.dll+2a963|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.481{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.481{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.450{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cookies.sqlite-journalMD5=CA63327C415FBD1D23632102830EDE18,SHA256=B61D5D60A10727FD8CC3D9552C4991C611EA16D30CB801D85983876BDD3AA80A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.450{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.450{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.450{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:27.450{5097E253-96BB-6149-5D2C-00000000FB01}5892\chrome.7760.0.78034051C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000302826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.450{5097E253-96BA-6149-5C2C-00000000FB01}77607424C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000302825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:27.450{5097E253-96BB-6149-5D2C-00000000FB01}5892\gecko-crash-server-pipe.7760C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000302824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.450{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cookies.sqlite-journalMD5=CFD4AD018B3D245B30CAAFFBC8308C73,SHA256=32783B3E46311A2A83B498BA3B6F17C0A4B8A4186D58EB1397320922560201B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.434{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\doomed\690MD5=5FCD37049D19943BA0577FD44F85B599,SHA256=C69565BA795851F6B9FE9FDCE250AB9A1F1F194A6C807188E31873B8F105D68A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-96BA-6149-5C2C-00000000FB01}77604660C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000302812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.418{5097E253-96BA-6149-5C2C-00000000FB01}77605700C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+1756ea4|C:\Program Files\Mozilla Firefox\xul.dll+9fbc79|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000302811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.421{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7760.0.780340511\1312906216" -parentBuildID 20210903235534 -prefsHandle 1332 -prefMapHandle 1324 -prefsLen 1 -prefMapSize 244994 -appdir "C:\Program Files\Mozilla Firefox\browser" - 7760 "\\.\pipe\gecko-crash-server-pipe.7760" 1440 1b67fc60938 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2MediumMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000302810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:27.418{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.0.78034051C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000302809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:27.418{5097E253-96BA-6149-5C2C-00000000FB01}7760\gecko-crash-server-pipe.7760C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000302808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.356{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264340Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:27.207{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33589812DD4AC7D31CF6C74F71192E55,SHA256=0917ED5489FE72E3632A2BEB76ECC22BA75F7B772CF952284CBA2C345D00F75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264342Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:28.847{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC08DA8DA34A30A4A1285FBAEEE3D09,SHA256=359C3749CE228002FCF62FF4B2BA48B36F7F5500B4E92BD5E22DACE0EC57F4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.909{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF2699D809454E49E28E0FBD0695725,SHA256=0FF3DCB5796951C2211F22DC3BA565E22F407AB5206CCBA217AF7B37ACABA64B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.132{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60277- 354300x8000000000000000303142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.119{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57982-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000303141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.102{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57981-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000303140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.101{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50701- 354300x8000000000000000303139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.101{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58870- 354300x8000000000000000303138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.097{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60525- 354300x8000000000000000303137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.697{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-57980-false127.0.0.1-57979- 354300x8000000000000000303136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:26.697{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-57980-false127.0.0.1-57979- 23542300x8000000000000000303135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.809{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\search.json.mozlz4MD5=69D8B81E0C70F46FC632A6651C8F0114,SHA256=4EC26C54FC638C47D9522EF811685D428C9AAD65799FC43036C41C3BC858805D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000303134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.406{5097E253-96BA-6149-5C2C-00000000FB01}7760www.ebay.de0type: 5 slot11847.ebay.com.edgekey.net;type: 5 e11847.g.akamaiedge.net;::ffff:2.18.234.244;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.406{5097E253-96BA-6149-5C2C-00000000FB01}7760www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 www.amazon.de.edgekey.net;type: 5 e15317.a.akamaiedge.net;::ffff:104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.405{5097E253-96BA-6149-5C2C-00000000FB01}7760reddit.map.fastly.net0151.101.13.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.405{5097E253-96BA-6149-5C2C-00000000FB01}7760www.reddit.com0type: 5 reddit.map.fastly.net;::ffff:151.101.13.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.402{5097E253-96BA-6149-5C2C-00000000FB01}7760youtube-ui.l.google.com02a00:1450:4001:803::200e;2a00:1450:4001:827::200e;2a00:1450:4001:828::200e;2a00:1450:4001:802::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.402{5097E253-96BA-6149-5C2C-00000000FB01}7760dyna.wikimedia.org02620:0:862:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.402{5097E253-96BA-6149-5C2C-00000000FB01}7760star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.398{5097E253-96BA-6149-5C2C-00000000FB01}7760youtube-ui.l.google.com0142.250.186.174;142.250.184.206;142.250.184.238;172.217.18.110;172.217.23.110;216.58.212.142;142.250.185.78;142.250.185.110;142.250.185.142;142.250.185.174;142.250.185.206;142.250.185.238;142.250.181.238;172.217.16.142;216.58.212.174;142.250.74.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.398{5097E253-96BA-6149-5C2C-00000000FB01}7760dyna.wikimedia.org091.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.398{5097E253-96BA-6149-5C2C-00000000FB01}7760star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.398{5097E253-96BA-6149-5C2C-00000000FB01}7760www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:91.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.397{5097E253-96BA-6149-5C2C-00000000FB01}7760www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.74.206;::ffff:142.250.186.174;::ffff:142.250.184.206;::ffff:142.250.184.238;::ffff:172.217.18.110;::ffff:172.217.23.110;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.185.174;::ffff:142.250.185.206;::ffff:142.250.185.238;::ffff:142.250.181.238;::ffff:172.217.16.142;::ffff:216.58.212.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.397{5097E253-96BA-6149-5C2C-00000000FB01}7760www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.257{5097E253-96BA-6149-5C2C-00000000FB01}7760cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.255{5097E253-96BA-6149-5C2C-00000000FB01}7760cs9.wac.phicdn.net093.184.220.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.231{5097E253-96BA-6149-5C2C-00000000FB01}7760prod.data-ingestion.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.226{5097E253-96BA-6149-5C2C-00000000FB01}7760prod.data-ingestion.prod.dataops.mozgcp.net035.244.247.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.944{5097E253-96BA-6149-5C2C-00000000FB01}7760a1887.dscq.akamai.net02a02:26f0:1700:f::1737:a194;2a02:26f0:1700:f::1737:a1a4;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.943{5097E253-96BA-6149-5C2C-00000000FB01}7760a1887.dscq.akamai.net02.22.9.105;2.22.9.106;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.942{5097E253-96BA-6149-5C2C-00000000FB01}7760r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:2.22.9.106;::ffff:2.22.9.105;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.826{5097E253-96BA-6149-5C2C-00000000FB01}7760d2nxq2uap88usk.cloudfront.net02600:9000:2182:6400:a:da5e:7900:93a1;2600:9000:2182:0:a:da5e:7900:93a1;2600:9000:2182:6c00:a:da5e:7900:93a1;2600:9000:2182:6a00:a:da5e:7900:93a1;2600:9000:2182:b600:a:da5e:7900:93a1;2600:9000:2182:c200:a:da5e:7900:93a1;2600:9000:2182:1600:a:da5e:7900:93a1;2600:9000:2182:3200:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.825{5097E253-96BA-6149-5C2C-00000000FB01}7760d2nxq2uap88usk.cloudfront.net013.225.78.104;13.225.78.78;13.225.78.8;13.225.78.106;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.798{5097E253-96BA-6149-5C2C-00000000FB01}7760example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.797{5097E253-96BA-6149-5C2C-00000000FB01}7760example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.793{5097E253-96BA-6149-5C2C-00000000FB01}7760prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.791{5097E253-96BA-6149-5C2C-00000000FB01}7760prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.789{5097E253-96BA-6149-5C2C-00000000FB01}7760detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.740{5097E253-96BA-6149-5C2C-00000000FB01}77603620C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.740{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.740{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.725{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.725{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.725{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D3764116425A127A46777BC6F9462993,SHA256=4B135A2E88F91F2859130A68144E2A0D5888130D5ECD2B08253A832137BA696B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.725{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000303100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:28.725{5097E253-96BA-6149-5C2C-00000000FB01}7760\cubeb-pipe-7760-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000303099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:28.725{5097E253-96BA-6149-5C2C-00000000FB01}7760\cubeb-pipe-7760-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.709{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.709{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000303096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:28.709{5097E253-96BB-6149-5D2C-00000000FB01}5892\chrome.7760.6.25126797C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.709{5097E253-96BA-6149-5C2C-00000000FB01}77604660C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c272c|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000303094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:28.709{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.6.25126797C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000303093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:28.709{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.5.212151558C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.709{5097E253-96BA-6149-5C2C-00000000FB01}77607424C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000303091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:24:28.709{5097E253-96BA-6149-5C2C-00000000FB01}7760\gecko-crash-server-pipe.7760C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000303090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.693{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC02B782BC608EFD7BEC100D378DE7C,SHA256=21FB51E8349EEE58C164058035AE1B012962EE3FB0BC607C7FC2C68D5FD3A166,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.675{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.675{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x8000000000000000303087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.675{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000303073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.674{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.673{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.673{5097E253-96BA-6149-5C2C-00000000FB01}77604660C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.656{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.656{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.656{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.656{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.656{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.656{5097E253-96BA-6149-5C2C-00000000FB01}77605700C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.667{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7760.5.2121515584\1389976368" -childID 3 -isForBrowser -prefsHandle 4196 -prefMapHandle 4212 -prefsLen 6523 -prefMapSize 244994 -jsInit 1188 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 7760 "\\.\pipe\gecko-crash-server-pipe.7760" 4228 1b60ce9c138 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000303063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:24:28.656{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.5.212151558C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000303062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.541{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60E9CFFC63BE73FFBBDDE4034BC6149F,SHA256=78516B5C509EA22C6860BE2463B4F582EC05E4D1093F5E429A4497E0D83D0F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.509{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3114425D95938D4AC88C3F6BAC68441E,SHA256=4BDC953B214CB5AEE95B7A85544A275BD0294EC2894C90DC9DBE1F43E18F777E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.509{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.456{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\pending_pings\beddd435-6713-4835-9a3f-1aee656b09b1MD5=A74EE9397C934B8F4689FDF18EC83DB5,SHA256=8F71202997D32F61FC796DFEE6EF0CA1D00D27CB8F91A5AF5B18F8FCF98431FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.456{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.425{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.425{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.425{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.425{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.425{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.425{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.425{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.425{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.425{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.325{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.325{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.310{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.310{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.294{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.294{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.241{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=712B8C7A66DF4ED0B9AA8D2493694283,SHA256=6F26E72275874E94F6B07404EC6A9DA918D4E1FDB20845CFDC9FD4A672F74AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.241{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=712B8C7A66DF4ED0B9AA8D2493694283,SHA256=6F26E72275874E94F6B07404EC6A9DA918D4E1FDB20845CFDC9FD4A672F74AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.241{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=337C1EDDC25347D3A9E2E6812228C030,SHA256=6157C6A32FC5A83A824AFDF23C747588E211D500F057F4EC1984ED198EC27660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.241{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=0920B38B648E788555E845D85ACDBB9F,SHA256=6666ADF4A9C309D2E1C1DA48F6A348B15EE9B685C201DD03B62409350DA2DBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.241{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=CD828BD55582C1FFE35643E8B44BA1FA,SHA256=DC2176B3E40B9403F4AE9BB54F412AF66F906D505A04993F7881681171CD4609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.241{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=BD6E26F31EB7C2FAB45AC086750058AE,SHA256=E453E0B7B033B3D7549337E588855EBE25D05180BDA290B335361E41CFEAD084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.241{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=FBDE3344DA5848465801C05871FABCAA,SHA256=46D1C04041C53E3CD4B276CE9D00EA55F3F2E6746912044C13F2A2D87AE7CC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.225{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=4FDFD76502F86CDADD8C911EAB55F8E5,SHA256=70172854261CE29CB483339588D719106D410199FDCD744BAC2C1D9A7BB5F813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.225{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=883FAEDBDD1AD670C79257969FC2C023,SHA256=B809E14464855DE4A5B14FEEB2E0D09D23F1C8D1444BE3406A6C1FE63300C574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.225{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=A70DCCE0852D4476D1963EADA1451088,SHA256=6AE9DFB9F5EAE7D3910CE88ED2E7A15BF35BD49BB2C318B03437BA6CA8C2F6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.225{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=72343E65718D2B1E1E1F6B8FD26B751D,SHA256=0B52DE4C598AB11C1A8162E439D982F6CBE4D54C8CD8B447D7E21AA6D28BECA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.225{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=EA4BB8BCC7F217C3D319DBE7D63F2ECA,SHA256=DFEF6E439ACA9C61FAD123236CBF36F3600614C77AD0ED13F35EBDFE311BFE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.225{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=C95DF2A5AA558BD82491C2B4FC9B5905,SHA256=5D323EDA616485A073D3F79BD35D64DB6CB26FE0E21F2217479DBE6AD8B7F413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.210{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=B044B5A7655CFAFABDF72E797EB425C3,SHA256=0B1722989F71613628F24CB639FA9FCA9AC306FDC02E8C2C1F0265B0BC353B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.210{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=4A374D918DE9094483C0C596ADB6A124,SHA256=03851EA5251ABA9AA176A546FF63020474F040267CCE19F3FBF2BDA06950A0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.210{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=6D6BC0243F2EA176744A4A167E8AE356,SHA256=749340ACBA23A0A81146C747F38CCFEE2CE7BDB7C15CB9B67594FC3E20975519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.210{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=330586F1D9EEC31D2D06AD14568A123B,SHA256=75FA17027B7F0F722EEE2786CD682CF321F8D437AB082A35433505C9690A1F78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.210{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.210{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=1BD6229215A4F13C28616D14398D9A26,SHA256=30770BA9CF427359C55A35AF9996B795A09073E1148CEFAAA25DB6F79611D772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.210{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\update-config.jsonMD5=7ABFFE156CFCF61314ACF60B8B8CADE8,SHA256=D33B384DA2A6542D3F4892AAE6CAFCB2B769D867533F71EBF28DACA82EF68CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.210{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=F3A4C687FB46E4E224BAEA86FCE084F1,SHA256=6AEE372F066917E3FF24C2FCCC97870A0E609BE5B955702F7C42E0CF6B39E318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.194{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=A0C1E5E03A4E505D0E66776C91645D95,SHA256=268FF8B82C8CFFB579E49CB4CE69FA018D69E3A8BD955D6E93BC95F7E057CCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.194{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=A0C1E5E03A4E505D0E66776C91645D95,SHA256=268FF8B82C8CFFB579E49CB4CE69FA018D69E3A8BD955D6E93BC95F7E057CCCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.194{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.178{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.157{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.157{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.157{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.157{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.157{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.157{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.157{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.141{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEDDE3192176C0A7BBAC277BC7BE915,SHA256=925F5736D12363C9781449580037812A0BAC55898C1FB4C09AE1CF7A1FDFF33D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.141{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.094{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.094{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b7b74f|C:\Program Files\Mozilla Firefox\xul.dll+1ab2937|C:\Program Files\Mozilla Firefox\xul.dll+efa040|C:\Program Files\Mozilla Firefox\xul.dll+bfb6f4|C:\Program Files\Mozilla Firefox\xul.dll+3136cd|C:\Program Files\Mozilla Firefox\xul.dll+399c9b|C:\Program Files\Mozilla Firefox\xul.dll+39949d|C:\Program Files\Mozilla Firefox\xul.dll+be61ca|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355 10341000x8000000000000000302996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.094{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c|C:\Program Files\Mozilla Firefox\xul.dll+be9f77 10341000x8000000000000000302995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.079{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000302978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.044{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99AFD4B1AB472BDBDC6723CA1B6CA978,SHA256=D6A4C16B692963F08A7DE612B7B462F844B64A248527E1D7600D920954F3C02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000302977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.044{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141154F6A929AD62CC43C916D2083082,SHA256=3E2903C112713698F05A4BAE235C18572B587632DEB8066C09A63A131075A0AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000302976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.028{5097E253-96BA-6149-5C2C-00000000FB01}77603620C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.028{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000302974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.028{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x8000000000000000302973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.013{5097E253-96BA-6149-5C2C-00000000FB01}77603620C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.997{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.997{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.997{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.997{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-96BB-6149-5F2C-00000000FB01}6592C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.997{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000264343Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:29.847{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEFF3235895D2B3C9C66E0AA9BAFE7E,SHA256=F37DD0AEDF92D2BEF5F8E4A009F6E56ED307FBF4E09EEB8F3AF785A1108EBC02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.717{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61081- 22542200x8000000000000000303191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.406{5097E253-96BA-6149-5C2C-00000000FB01}7760e11847.g.akamaiedge.net02.18.234.244;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.406{5097E253-96BA-6149-5C2C-00000000FB01}7760e15317.a.akamaiedge.net0104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000303189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.717{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61736- 354300x8000000000000000303188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.716{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50177- 354300x8000000000000000303187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.716{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50364- 354300x8000000000000000303186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.716{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61574- 354300x8000000000000000303185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.714{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49592- 354300x8000000000000000303184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.714{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52544- 354300x8000000000000000303183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.714{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60735- 354300x8000000000000000303182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.709{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53341- 354300x8000000000000000303181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.708{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52427- 354300x8000000000000000303180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.708{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59709- 354300x8000000000000000303179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.708{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59521- 354300x8000000000000000303178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.706{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63908- 354300x8000000000000000303177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.706{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62493- 23542300x8000000000000000303176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.424{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6D26D7AD5ED279A065A403078DB26E2,SHA256=D9AC89D392C166B8017E85277230B92DA64E81EAD44F7EE2ACC7CAAA81D94158,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.594{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57997-false2.22.9.106a2-22-9-106.deploy.static.akamaitechnologies.com80http 354300x8000000000000000303174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.578{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57996-false35.244.247.133133.247.244.35.bc.googleusercontent.com443https 354300x8000000000000000303173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.572{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57995-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000303172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.571{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57994-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000303171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.570{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50115- 354300x8000000000000000303170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.569{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64601- 354300x8000000000000000303169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.567{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62401- 354300x8000000000000000303168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.567{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57993-false93.184.220.29-80http 354300x8000000000000000303167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.566{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57992-false93.184.220.29-80http 354300x8000000000000000303166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.566{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57991-false35.244.247.133133.247.244.35.bc.googleusercontent.com443https 354300x8000000000000000303165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.541{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57989-false35.244.247.133133.247.244.35.bc.googleusercontent.com443https 354300x8000000000000000303164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.539{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57990-false35.244.247.133133.247.244.35.bc.googleusercontent.com443https 354300x8000000000000000303163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.530{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51738- 354300x8000000000000000303162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.513{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57988-false13.226.145.33server-13-226-145-33.dus51.r.cloudfront.net443https 354300x8000000000000000303161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.464{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57986-false52.42.216.19ec2-52-42-216-19.us-west-2.compute.amazonaws.com443https 354300x8000000000000000303160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.455{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57987-false13.226.145.33server-13-226-145-33.dus51.r.cloudfront.net443https 354300x8000000000000000303159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.452{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50228- 354300x8000000000000000303158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.451{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50987- 354300x8000000000000000303157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.447{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50688- 23542300x8000000000000000303156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.240{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D982C50927C3E1F3B3AEBB7537B7091,SHA256=A30FCB2ADCB3351F602F3361E37AD24A7F3E8EB330BEEDEDACF641D69A6FB628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.110{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.313{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49288- 354300x8000000000000000303153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.312{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61485- 354300x8000000000000000303152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.310{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52069- 354300x8000000000000000303151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.253{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57985-false2.22.9.106a2-22-9-106.deploy.static.akamaitechnologies.com80http 354300x8000000000000000303150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.253{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local65519- 354300x8000000000000000303149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.253{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64935- 354300x8000000000000000303148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.251{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50836- 354300x8000000000000000303147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.230{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57984-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000303146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.135{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local57983-false13.225.78.106server-13-225-78-106.fra2.r.cloudfront.net443https 354300x8000000000000000303145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.135{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52071- 354300x8000000000000000264345Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:28.598{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264344Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:30.894{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43668E624C4B9837DC051F8A53B6018,SHA256=ECA696B4E2D5BCCDFE91B56BE1EF6C8879C293AD486552028E7289838A34A6F8,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000303201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.409{5097E253-96BA-6149-5C2C-00000000FB01}7760e15317.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.409{5097E253-96BA-6149-5C2C-00000000FB01}7760e11847.g.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.407{5097E253-96BA-6149-5C2C-00000000FB01}7760reddit.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000303198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.884{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58871- 354300x8000000000000000303197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.883{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51813- 354300x8000000000000000303196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.882{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53707- 354300x8000000000000000303195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:27.882{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53208- 23542300x8000000000000000303194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:30.509{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8836101FDB2FA578706778D6594992C6,SHA256=A7E965A7E22227EAB968F1D4C7DBE6E9CDA5B7816EC0213D54AF5E2739BAFFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:30.039{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89785BE159B60413D62F48B306BBD813,SHA256=A9E1417A0B8C6DFF59C18C7CACDE2F35AC65917D065D803ECC9C566F16C345CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264346Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:31.925{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2B674F640D92C0CECACF756EE7A53C,SHA256=715AC65AB239057E58CAC5EB8746E36AC74D11F218951B38A51F085FABD93064,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.623{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:58e1:83f8:86a1:ffff-58870-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000303211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.623{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local58870-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000303210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.623{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-966.attackrange.local137netbios-ns 354300x8000000000000000303209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.623{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-966.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x8000000000000000303208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.622{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61551- 354300x8000000000000000303207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.620{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51482- 354300x8000000000000000303206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.620{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63854- 354300x8000000000000000303205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:29.618{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62935- 354300x8000000000000000303204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:28.467{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local57998-false10.0.1.12-8000- 23542300x8000000000000000303203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:31.655{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F4FF87C42CCD9B3101368E967A4032,SHA256=E4C104E5BDA2A95B66C0B70A8E2DE2543A93EEFBA935BB18A5488B4B029AF59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:31.055{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB4F6D1FB54CD64F2C44258DA8D78A2,SHA256=3A75BE536526488F75285504E4F621AE2FFF2B37FABFBB042D31BE1E03509B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264347Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:32.942{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C71BAFF84460F1CFC06B8B4117EAA7E,SHA256=EDBF5E973712745CAA562940E6ECC7742E307E75E9BA13A1ED32B1EB615A6A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.938{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\doomed\17926MD5=C69187E17380CC28FA4A77EFE9E3CF90,SHA256=D0833F74044E9E987FB57384F6AAD0D5562A253CAC9BF7AC37B62D09965BE4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.938{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\doomed\4327MD5=E70AB601921B69179C0392DD4B512972,SHA256=0F1DB99190A61CC552E89B68D56D75C9F3B61198711755CB92E8DDB180E3F7D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.938{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\doomed\32247MD5=083E8718477E5C0D8530F4E84129094A,SHA256=B0C5BA218FDF4E852578AC146DBF56971CBB463D33664370A78916CBA3987A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.838{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=021BC883828FE5463B0C083389F3D6E6,SHA256=67343EA94CD6E28AB24CA40C14C6A665B8C9172D2FBBB261A63E34276696F12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.838{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=D4C20AB6187F6B84C64DBA9E79AF22C5,SHA256=039E8581DD7CE243A69A1D161D733C71648C3DA2D7CC32211454E5B24A679BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.838{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=C30A95F3CC1663A33DFA216964393E89,SHA256=280F9518B53E40C8E9D4030B0A495E7253B20E657501691B10333FC981090EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.838{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=1E3A16F133205A7B7FD84EAF94496A24,SHA256=F0D86692CAA96987B1E2F2CED59B09EA3B0C50C452897C665164DCA158EA63F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.092{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D5411AAEB6F232050B9C3005D04B04B,SHA256=A5FB1C833BD127E05C69D1D00A50F3E1F964D715C762CD5D20C193101E15A47D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264349Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:33.974{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9531BE215A9130D7043229EAFD996E,SHA256=0F2CD9F46852E82FB3E16F085ECA9319A8DAEA42ED1DE87354C23ADAD1569E4A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000303230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.591{5097E253-96B7-6149-542C-00000000FB01}5960wyxkaynscggwqt9003-C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x8000000000000000303229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.591{5097E253-96B7-6149-542C-00000000FB01}5960iajhctxpoxg9003-C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x8000000000000000303228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.591{5097E253-96B7-6149-542C-00000000FB01}5960emybxdqu9003-C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x8000000000000000303227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:31.493{5097E253-96B7-6149-542C-00000000FB01}5960wpad9003-C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000303226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:33.853{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E67C9D7F9A4ACAB8DAC7312F6CACF23,SHA256=232A31AA51CF36174949C67AC5AF9E0E25B2D9D8A2E1BB5A1F13CB245F9DE5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:33.706{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=601D9417115517790EDBF8A2F5EEC200,SHA256=4C52C5CC955F341340829CA67C9D9AF63F1C16C00BE26F92317CC83BD0330874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:33.591{5097E253-96B7-6149-542C-00000000FB01}5960ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF51ac591.TMPMD5=F86AD5BF47C0C04BD7FADEBB3DC687BC,SHA256=63C95479A8D51DEE292395F0CC678FFF08E25F10D0FE1EFDE1ECFCD32BE542F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:33.522{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF51ac553.TMPMD5=994C895D50AC7CCBD761F7217D82C7F3,SHA256=0F03C66A0CFD89EFCC6CECC29DB51BB2CCBDF992FF9B067D56DBE06813DBD56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:33.238{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51ac43a.TMPMD5=6E4EEBFF71D2577ECDD838487A67D873,SHA256=2FDD032F06E008D85F75409D29211C429468847C8F914E9FC553145236CF5A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:33.107{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666FFBD9F965EA06E85EAEC9B76B07E5,SHA256=4D1FC500549CDE60B5F3E2D94E9425771D907155DF041C5F863006B86B895AFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264348Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:31.053{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse218.87.193.8-19280-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000303232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:32.274{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49302- 23542300x8000000000000000303231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:34.121{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6333631DC511B35D9A22260ED65E9A03,SHA256=C6BEBDD482EEA1A8474210EEABC2C16C0CD5E4E8C3C7FC131F32D7141D958C05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264350Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:31.283{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse218.87.193.8-19557-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000303233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:35.170{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066E2D41154A18C08F4D52C97826E9C1,SHA256=E048B3E29BEA1FA39BF56CB38F3F4737F103AB827622FEA8D2CB55D1A4227B9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264352Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:32.410{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c840:56b4:9bd:ffff-49302-truea00:10e:0:415f:415e:5f5e:5dc3:cccc-53domain 23542300x8000000000000000264351Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:35.005{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6CF5625A277012FB3CAAF9A42D5283,SHA256=880CDC24D68562A131D4E06A4A94F7DFCF8F3C2AE04A4884375E771EA9982A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264355Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:36.677{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264354Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:33.614{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264353Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:36.036{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D995DB8560F95B8F75DE4D671293AF,SHA256=627F75BDBC63AB5C82EDEDC1B5423712FBB6B58A7191BF03526A97174B7AF317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:36.788{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:36.188{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAACF1C13F0FD34DE8ADD6002C91EAC,SHA256=56864D0B4C1929DEB86C305DD7EC9C898929E0DA6321B4CD08DFEF1375A6D6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264356Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:37.083{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F97202F2391FC9BBA2F2B2CD3DF4881,SHA256=FCF50B971ECD77AB78EA26193E233F62A3C9332AC22D3C84E7864518B86B0A2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303239Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:34.499{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local58000-false10.0.1.12-8000- 354300x8000000000000000303238Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:34.487{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-58435-true2001:503:ba3e:0:0:0:2:30a.root-servers.net53domain 23542300x8000000000000000303237Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:37.571{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=4140FFBD1FF838FCD00A86768282D513,SHA256=529FA60A2789E4C131DEC9A1F58328428CFDCA84B3D7968FC1CA308504E2CAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303236Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:37.203{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33536C2A5BBE11BF687A1AE9F370F01D,SHA256=B5A1284BABEAC287E0917030BD1DFF4131875DAA841B3E98BEBDCD7BDF23393F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303242Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:36.076{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local58002-false10.0.1.12-8089- 23542300x8000000000000000303241Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:38.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE7AB2D6E30C8717FC87ABFDAD114097,SHA256=CA56B0C9E3E42A92A360534BDDEA7B5808EB46D3E80E234BAADFEF26CBFAFB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303240Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:38.204{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2168B6488E318AC81EC8620DC777DCD6,SHA256=A83A30ACDEF26B631FACBD1EE1ADD80AA906EC65FC141C7CCAFFC0495A2344EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264358Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:36.130{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000264357Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:38.099{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607690001BE770833684C2D8BA379AD6,SHA256=D9D18553A81ABC8275C0653379FABB5C7CE820F76CB350BE1ADE2771964312BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264359Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:39.146{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B79F61C2510F8CE38E9146C25DE844,SHA256=ED13AED5840A6DA40C8E301D8A5F7AD2D746AA425B0FDA0645C9C1274E507E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303247Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:39.788{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303246Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:39.788{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303245Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:39.788{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303244Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:39.788{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303243Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:39.219{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42798EBD03535EA78B8CAD65CEDA8CBD,SHA256=87646B8F72C265075BE4AC2F5DFC60DBCC5CA66167031583C8ED223CFAA53EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264360Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:40.177{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1941F4B298B44235DC76F1A6DE4E2C,SHA256=A4D679D870FEC9C1E0A3AFA403F0F24B29A9D33190EE59559F581D0EF70E43FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:40.967{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E410922BB2CD9BCAC7775C800A626484,SHA256=9E3902AA7B73427E4B99CC59177512D236052926B0B14FC9D9A95183AA40E564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:40.634{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=DA36A9994A754934B0B556D506C61444,SHA256=363F9C7CD35C0C9DDE8C10CEF3E3B33E2B6DCBA7B5566BD0CFF0EA650105C931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303248Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:40.234{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92193A44168CCB57D2DB6FA932367DBE,SHA256=54E6C055343AFABD9409CEDAF541B0DEE30563535A5CC8EF9963A57076C7D6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:41.249{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA58197F4F24D2B2752468854671355,SHA256=6F6965FA0D42D7E43759ADC7E0C58E69D3CA759EBFE152F169501B154D06E34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264361Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:41.208{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8008E7270053E2A489BB633E4CDB67E,SHA256=E4FB51522EA3598E03C1002F6C203C5B32014C64DB0C9DE8879E60379E43ED90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:38.744{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-58435-true2001:500:9f:0:0:0:0:42l.root-servers.net53domain 354300x8000000000000000303254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:40.397{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local58003-false10.0.1.12-8000- 23542300x8000000000000000303253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:42.269{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4681C9888C686C451BFD31DB17CF5317,SHA256=6E457AE1001E3888DDB1C76C2007CC90EBD547929DA50F1F489DB2E2F607EB8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264363Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:39.551{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264362Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:42.224{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983CDED2A563C132231F9F23B1AA7AFA,SHA256=E1820739D80CFE9FFD0FE7999B8B85929E1F3DD0282CBA0D701C7C34580C548E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:41.638{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.42-55331-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000303255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:43.288{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A765F1ECB3C1CE3CE5C945D258452918,SHA256=23B5602D045535AB14681C3DE15A16BA4226E91AD5BFAF078AB236361A2AECE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264364Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:43.255{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4040686603308B5A6F179BF3A6A984,SHA256=9A6714F49C5D3D2F1EDCD534BDC79219DE6A16E04316D2784CA731A04FCB6A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:44.319{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C919EAEADA2CB544A13518211CA23174,SHA256=696EC000D6D5212E1BB19FEA9290A028B64CF7120F367FE25FDFF9EA2C7AE432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264367Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:44.270{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91F8DEEEE70D34475CC63E1EFDE790F,SHA256=889A19601B1404477403448CE52755B940D3AE6A31074057B80AA90843A61716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264366Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:44.051{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=83F30A5DAC9601005E2659694C718F9B,SHA256=6B92B20A599EEAF8A3C6AD73F8C42FDCE4782FB830D2E980ED550402577EA179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264365Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:44.051{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3D1ABC83BCC7C609ED83B16B35EE9635,SHA256=6AA2397B6385C7FC98E66B6C04780A00141B7011F586927358CC7F45DD83F6B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264369Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:42.513{C189DCE5-4A3F-6148-1400-00000000FC01}372C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-917.attackrange.local49302-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal53domain 23542300x8000000000000000264368Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:45.301{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7869F440270BEA1D8EC1F86C6A32ED,SHA256=3776645A228D597E43462C452471AB43B52765CE7D7DF137C246D833578100AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:45.366{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375197D872F8535C594C457DC2808FCA,SHA256=FFB4B11C9FC50CB9F8C3D8760534036F6EB7AA7252BFC24E0C43C754D68354F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:46.385{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60B7E6F6F3CD1DB7D7F0E3FA76184E0,SHA256=66A3D90FCAA1D181C85D5E875A6A09A3DB8622B4DBD97D130D64E587EA58B54B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264371Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:44.691{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264370Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:46.332{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0ED65BEBB9FDF0E8E72710FDFADF22,SHA256=014155383E6810398EBF7ADAD710A4B992E1936BFA78AD356446BC6B402D796E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264372Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:47.379{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE560CC9A30B7129344EA4415F142FF,SHA256=7A9F45BF2AAFE38376B47B473F4E8068BDBC178E803FA5A0B9D46644737CC289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:47.388{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB92A2733095DEBD7467E53DC1A3232,SHA256=F195D450C08D5CC88300E873AFCA8319E5C59DF3AE884F53F113708EED5D4F37,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000303271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:24:47.263{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000303270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:24:47.263{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x051afaf9) 13241300x8000000000000000303269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:24:47.263{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb9-0xc15dd911) 13241300x8000000000000000303268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:24:47.263{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec2-0x23224111) 13241300x8000000000000000303267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:24:47.263{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aeca-0x84e6a911) 13241300x8000000000000000303266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:24:47.263{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000303265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:24:47.263{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x051afaf9) 13241300x8000000000000000303264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:24:47.263{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb9-0xc15dd911) 13241300x8000000000000000303263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:24:47.263{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec2-0x23224111) 13241300x8000000000000000303262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:24:47.263{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aeca-0x84e6a911) 23542300x8000000000000000303261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:47.100{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0C9BE0E32A581C9144F9D2AF428AE5A,SHA256=DC3EBE21A2029B8ED380789AD80F8E924ED860C7C4C817D624518D8879ED40EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:47.100{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43B6DF791B16D5453194C92D6F8CC571,SHA256=FA0E73207D2BC278289A764D8CC6ACD42635550851F2EB75055C964827E88E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264373Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:48.442{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BE0A2B8518C6D42341DFC9F7D15693,SHA256=43F913C6FB568707CD54AF120A20B1C44E1E3A6FD3109A468CA5C854513EFD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:48.836{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0C9BE0E32A581C9144F9D2AF428AE5A,SHA256=DC3EBE21A2029B8ED380789AD80F8E924ED860C7C4C817D624518D8879ED40EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:48.518{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51affeb.TMPMD5=F6F7F7DDF2B8C66DF017EB493935531A,SHA256=8D58D2CB2C137CD80DA3C1633FE25A9CB10EC4E407AFF4510CDF941D55166EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:48.404{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24BA088F81E78A79EF88EECC56A4049,SHA256=5D6C2B8FBDB70A627884C4A38155308BDC7207DAD52B418F1A8E5622FE10DEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264374Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:49.457{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5139EB674A4E58B92E3541C766210C5D,SHA256=8425BDF6D7C3EC415198260B031ECF4B51DB150611458E045667D00E0F9B96D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:49.419{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871EAB0C85048D880A1EAD7F01ED684D,SHA256=0213D0A42F17B10158BB10E363A06E6C901F3BDFA3C5CAAE8D5C315C0E3ED320,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:46.356{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local58005-false10.0.1.12-8000- 23542300x8000000000000000264375Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:50.473{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34817EC7191F64B17A36B2A7AB6DAD2,SHA256=D8A30B8B826F5C3FE0CDABAB22ED44D71B54F10F60C6649DF6D8D3FEF3094AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:50.434{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62C8D89D4518D1E5CE79A744A8441BA,SHA256=C448A1026B9238F97F89C0DBF2595EF8D19BCDC0FB2BE7175676F1795AB762B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:50.403{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E831CE09D21D5E63468802A878DBB631,SHA256=52BDAD004BA133FF21E2EDB5C179A50BF16D95E9E7D590D958A94DB31AB0C872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:51.449{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E06A6E291E64C1E2FDA04FC41D4D745,SHA256=2771AAF667D90772E3852F7DDCBD24B998D678696DB3544AF4CF0E498DBEA28F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264376Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:51.504{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42ABCDA5129F56FB0994836A7BA2CDE,SHA256=CF98905B510D1B54AB9ADE34A77A1705C1198011AD909941AD69DA470989EB67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000303280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:51.271{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\Screens\3.png2021-09-21 08:24:51.271 354300x8000000000000000264378Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:50.659{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264377Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:52.535{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A23257E07807856A15F2F04D2B0279B,SHA256=326753281865AB5476B213F962265F52D8020AB9162556AB27F237607BBC1FE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:52.701{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-96D4-6149-612C-00000000FB01}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:52.685{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:52.685{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:52.685{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:52.685{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:52.685{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-96D4-6149-612C-00000000FB01}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:52.685{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-96D4-6149-612C-00000000FB01}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:52.548{5097E253-96D4-6149-612C-00000000FB01}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:52.465{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1990B3A8EE1B7A5D74B38049D3D6ED,SHA256=3338281F4021F781BAB5D4E7D84F5061C409EEFD5F7DF2629340AE3E456364BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264379Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:53.567{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB344ABD3C10ED809E71B356639C342,SHA256=A17DB3C733D3D4ED4124D2C097BAB371E4F5F125E5A5BEC08926453128934D29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.984{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-96D5-6149-632C-00000000FB01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.984{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.984{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.984{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.984{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.984{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-96D5-6149-632C-00000000FB01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.984{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-96D5-6149-632C-00000000FB01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.985{5097E253-96D5-6149-632C-00000000FB01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000303300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.762{5097E253-96D5-6149-622C-00000000FB01}76887248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.485{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-96D5-6149-622C-00000000FB01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.485{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.485{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.485{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-96D5-6149-622C-00000000FB01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.485{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.485{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.485{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-96D5-6149-622C-00000000FB01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.364{5097E253-96D5-6149-622C-00000000FB01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:53.485{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CC7164E7D774CB198D7B7DAAE69D3B,SHA256=1EDCEB4763C3C4709618B5B0544558C786B4A2857DB89F35CC3E29A554BBD933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264380Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:54.598{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA78CE6B8D7B14F54564ED24C2A41487,SHA256=EBDB5E3946C0CB884CA3CAA57FD34F547A2F4A8794340997FA02F6D01C28D5AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.921{5097E253-96D6-6149-642C-00000000FB01}5792720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.778{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-96D6-6149-642C-00000000FB01}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.776{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.776{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.776{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.776{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.776{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-96D6-6149-642C-00000000FB01}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.775{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-96D6-6149-642C-00000000FB01}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.636{5097E253-96D6-6149-642C-00000000FB01}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.633{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F17C179F7F8817AC0741841A451023,SHA256=9C4D1F3826E29FA3E94A4444442A8E09E96EE1DD5BF3D5D857E51DE71CE71941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.333{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F376AB080214D0989D49FA1CA34C6D65,SHA256=742C28746794FFA2370FD4905C16F4AEADEA642427EE789A759DCB04BA27A147,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:51.473{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local58007-false10.0.1.12-8000- 10341000x8000000000000000303309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:54.146{5097E253-96D5-6149-632C-00000000FB01}6772940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000264381Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:55.645{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B70FE18A3CA089B21B01A25C322497,SHA256=094B943B5EECA36FA1A33FBD3E079487F79DB60A57BA23BD604DE220C9728A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:55.652{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145B1D0105ACA0150C65556051404C1C,SHA256=07DAD2E6D319AD086C46261022C2A010FC31DD7D968CE6AC79CF37BA221F9C68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:55.605{5097E253-96D7-6149-652C-00000000FB01}6328136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:55.452{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-96D7-6149-652C-00000000FB01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:55.452{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:55.452{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:55.452{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:55.452{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:55.452{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-96D7-6149-652C-00000000FB01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:55.452{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-96D7-6149-652C-00000000FB01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:55.453{5097E253-96D7-6149-652C-00000000FB01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.686{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983C7603DA17387255A3B074B9AD5BAA,SHA256=C1F0B113695211830597BDA7DE0C05AE3F62161DC9D6F642A734CE5B75CC47A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264382Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:56.723{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA596D53862F65DF36BBF3BE894F7CD,SHA256=0B686654C74FF4F190709207B6F3496C2770C9353B6AC47C19E657C2E3D39C3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.136{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-96D8-6149-662C-00000000FB01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.136{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.136{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.136{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.136{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.136{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-96D8-6149-662C-00000000FB01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.136{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-96D8-6149-662C-00000000FB01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.136{5097E253-96D8-6149-662C-00000000FB01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:57.703{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A84325E3ED2F947E4B3B490577F1607,SHA256=417D6A7CDC608591F8087D6514165A626BB00EC387C68D5C13EFC654B5350467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264383Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:57.739{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF28EFD8670534F3AB6170CB4F00C436,SHA256=4E29A5B9E70B0FBDA0F385480EAE3E964B0E574828320550F7930CA54522CC23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264385Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:56.581{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264384Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:58.754{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C026362DEFF07FA1052FBB7CFAEB7E5E,SHA256=33F228FBB8964D86463B2AD7A6FEC6B4B1B3D41922EF1907D26F8CBA312C3329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:58.718{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B631971E08F16917427632B3C98AB40,SHA256=53CB6CBCB3A841605D09B94C8664830E4AC9D67F52E7DD8B24504FA489B3F1D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.013{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58009-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000303344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.013{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58009-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000303343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:58.103{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:58.003{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264386Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:24:59.770{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C40F869FE1DE6AAA5EA38FA497DBC34,SHA256=BA206DDE80AD8CEC12246EFBF96BFD1DD4F792A9ECC22DA60EFDBC6CA1EF3330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.748{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA707A5A58BDD480C26963BC4507818,SHA256=5C07F766FA5E95465647C5D6272FC70E522D7C9E7647CA3BEC1F9273FF1B23B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.633{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-96DB-6149-672C-00000000FB01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.633{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.633{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.633{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.633{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.633{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-96DB-6149-672C-00000000FB01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.633{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-96DB-6149-672C-00000000FB01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.634{5097E253-96DB-6149-672C-00000000FB01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.217{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3064CCCB43545038023D99BF1917B31,SHA256=21A5AD9FCC91540CD7F6EDE85A3686BCEEAD65E57B338A192D7509D1B841096C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.796{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local58010-false13.226.145.33server-13-226-145-33.dus51.r.cloudfront.net443https 354300x8000000000000000303347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:56.793{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64435- 23542300x8000000000000000303361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:00.762{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844FEE091A61C43504FF8D393A6FD480,SHA256=6EE8CE9EB97ABB31F8C3BCA9A588FC4E1F237BD06B269469EC4CEE0D331D07F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264387Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:00.785{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE67525EF27AEE5EEE57A55A35CC95A6,SHA256=E0B594E80A73E66CF15CA9B1670459CD8CFC0F0E2E72B1E8A38489BC7DFC07FD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000303360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:25:00.294{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aec2-0x2b3bd8e8) 354300x8000000000000000303359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:57.374{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local58011-false10.0.1.12-8000- 23542300x8000000000000000303362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:01.795{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2443BBB5AE0A8750A52BCE8A659DF124,SHA256=FF2C4EFCFBC5732CDFBE3218CFE76C086CDEBBBAC8B1F726F86CF1201A7275BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264388Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:01.801{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCFCA4D8ADF79D2CCF41042D48AA4B00,SHA256=01038F5BFBD8A1916131F9DA8739A758CC19E9A12B54E9FED6FC32D12392DA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:02.817{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D472304F16EDC2ACAC56AFAE4A9190B,SHA256=D4A93C3BC1F1C00D4CB39A070CAED377F28B7E29BC020AEDCD0A8DC253FEA81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264389Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:02.817{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4383CCFA5F282399EBD20CA1432AD4,SHA256=B75AF2BA63C805250C111FC339324D055BE69E319D56A3C3058C40D44451981E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:24:59.587{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-966.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000264391Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:03.832{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54126BC7172804C496061CA1802EC688,SHA256=D53EB86AA354E75438FC0DE589445F0445E8281F4A8863AAC52B4E744E72171F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:03.817{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12BBE45C625D660E91FDAE90F457693,SHA256=96DA8281D6B0E2547AE0B07EE05A93D19630F54B2E5D36FB8B0A981555D751E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264390Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:03.348{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E78E1178AD86D27EE3E024CE82F27B0D,SHA256=582FA2685A2905E6798A47C67874CEE745C12E602CA89E280E131F486AE96BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:04.832{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E08F0BC25E17B3E3F5BC566F3052E8,SHA256=6385B24A0A7EE756B5D2038969D811E7B9D61BAF84D13BAD6B0C6AFA65E57830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264393Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:04.846{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E2E5A21B08FE5001705BDAE82A84EF,SHA256=D97C0B18EA97EDE4914E6DFE2E553F525F4CCA1CB2895C4514E2997BF5ADC795,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264392Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:01.597{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000303368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:05.847{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D50E7A7A311266354C441C3FDA43178,SHA256=6B757259669B2849B5672E87B2F3BB8EB9E33D46AF3C2DEE366C886720A93CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264394Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:05.865{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63724B96A30D8E9F3FBFBB385653059,SHA256=02B62FC981289E5A9D74AFFCA4A2691EDE00756C6CF119EC0D78FDAF1E3CFCE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:02.573{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local58013-false10.0.1.12-8000- 23542300x8000000000000000303370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:06.932{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1391MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:06.861{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB7FAFE62426614CAB3A817B3DE6629,SHA256=2BFFAF0B06612E2234057F78062B23B690BDD0CD5219F4FAC71080417E103755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264395Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:06.878{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62F810C4E4C7C7485030E3718087B10,SHA256=22511E452ADEA310F2B54CE5CCE2B28C83BA825DCCD8A06D3D0BE1151C7E895F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:07.946{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1392MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:07.876{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E431C0166313FFEE72A0C9265D9DA8E1,SHA256=ED687F0D66F477AE94E380D75317AFABD3AB39B37579C38E90706721B5BB4177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264396Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:07.893{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB28C647D6FAE1D398B36A18BEC53E43,SHA256=4418D52D02FA0DE288F8C0D4D17168113C71FA10C1E8540E6019DD46D36315DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264398Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:06.658{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264397Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:08.893{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7B3D643E9438A759670140D50126A0,SHA256=6F8420E7B16B20264D5E83FE21818144702B306D1E1F0F02F75A8FEF21A53982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:08.929{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816780B38B1298D676367C64B45CCBD4,SHA256=B5DDB169AB5334423D494ABDE0D0543A99E9776D7F10EB7994D3D973F1970F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264399Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:09.909{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432E3250024C939B9A664C59267F5B13,SHA256=33A11993165B01FE054AD7405622FEC275311428138D4906F898E1473EE6BFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:09.943{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A6931895EA4AD62A78BD10AA50A9D6,SHA256=28D72D1D1D0E82C553B3E679CD3CE0ABB30707C6183CF66DE0696BBD618DF07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:09.792{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264400Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:10.925{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821CCFB92103EAD1B18A2960931DFE61,SHA256=50A0BBF3A6C09FFEF582BE24BFA66E2F9C9F4E0972EE056BAD697A41002C60ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:10.957{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB392A25948C905D84183BE61DD3F0D,SHA256=D3AACB2493E98CE5D387C6EDC6DC05711FB6C7D326DA722FF64620FDA6A476B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:10.811{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=092176F7607152E292EA379160E330B8,SHA256=7B0874EAA95947043077C57371340E48967CD66054168E6E70E17EB5048E3C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:10.811{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C82232C7EF68BD1C54D4BD173CED1772,SHA256=4B6D60AC5C47F12A2BF64B8DC23D144BA1D27886B5E677969B3DC4524396B2A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:08.339{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local58015-false10.0.1.12-8000- 23542300x8000000000000000264401Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:11.940{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0219F4977C5F174431C77183529594,SHA256=933CF9F66EFD28AE25E799F6583BFB4C2B9FB4FA38383DA15F3745F51DD40CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:11.972{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884CF07C1CEEED7974DFB1148E8D712D,SHA256=91B41F75F83A5EEFC25EBE7D25D688B5B7483F2BA8A1E2F686CBCF8C5A4A53F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:12.991{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6387AB7D663D132EFDB504C571FCBB99,SHA256=1CBF43A90F6F30BFA4E145D6774B7F1E78090F04732B1982E36B0808929B46EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264402Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:12.956{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC21EB7E32F01FAB6E226A327B33CB1C,SHA256=1562E6B6DC4B1A580607312D845AE92DCCCD233F4CA4A33C8BE40BFB0857DF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264403Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:13.959{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBF645B70C28023B85DC8FC083850D1,SHA256=29DDDC85870268B915405FB82DF0F7EBDF70EC14014518729CC602A09786281F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264405Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:14.970{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44347B98087E4DCE5242D70457CD7FD4,SHA256=225FBB98E4125AA38F265FEBBA00CBB07A306AB2F3F4404DAB8AFFA87AD5A482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264404Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:14.086{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1383MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:14.006{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013B75B2EF7CBD923816F0D8E0216D63,SHA256=06F162B65FE8E2636C6A075D4B88E49920B8FC298ACE377BBAD25A8241F891B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264408Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:15.985{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BDFCE79B8A5DF466586A71A4C3E59F,SHA256=F433493C20CC3565FE3B994E18181CFFEC4C5B8446D87E70992075F80097F892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:15.021{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5173E5D7A011487FD1F8F590034F5292,SHA256=DD49ED1D124FF9D83CE8A4C5A02CD653C0CC94FF9B10D45617BEF05D4B7F117F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264407Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:12.642{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264406Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:15.096{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1384MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:14.361{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local58017-false10.0.1.12-8000- 23542300x8000000000000000303384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:16.035{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9E67C1C48889E5A3B1966A4A9A99AC,SHA256=701147810BCB42A368153AD01BA5C9616C1BFBCF48A5554A8906F7C1440189F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264409Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:17.000{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D459AF0A62B3A0A09867E92176A3683E,SHA256=17FDF946B12B07B103742DA8AF2C8EAEEBF3E7EA866995D7AD0B9D97E938E1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:17.049{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29958D6369C49D41BFE8A08B351E1D8,SHA256=54EBB9489D9B71ACC22CD4E96B8450A06F196E5DA62EB5476AE6871B10B2B11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264410Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:18.016{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11452E8E423982768011E3A2B3C63869,SHA256=484EA8607EDCB3560DB64A64957E4A79299ADCD0128E84C3BB22114565367D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:18.063{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F989DDDE25010991A043E09337E75A2D,SHA256=120C71D129891037E3DBF7892E3855F89560ECEB0A64AE6F43FAB6E5F528EDB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264411Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:19.032{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8249C642ED5076A6CF9C3FC4EF4E56FF,SHA256=92BA56E9AA18E17D7433461DF0889C13B76E5B161A2BEACF8154B188023B7EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:19.065{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CC1990A176A1A5139AE9523BF7BB82,SHA256=E3D3EF87127653DBD566F3BB685CAFC81D399E658AAE933FB54045E98ACD566E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264440Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96F0-6149-C027-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264439Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264438Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264437Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264436Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264435Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264434Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264433Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264432Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264431Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264430Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-96F0-6149-C027-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264429Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.922{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96F0-6149-C027-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264428Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.923{C189DCE5-96F0-6149-C027-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000264427Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.438{C189DCE5-96F0-6149-BF27-00000000FC01}7643592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000264426Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:18.593{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000264425Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96F0-6149-BF27-00000000FC01}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264424Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264423Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264422Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264421Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264420Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264419Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264418Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264417Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264416Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264415Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-96F0-6149-BF27-00000000FC01}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264414Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.250{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96F0-6149-BF27-00000000FC01}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264413Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.251{C189DCE5-96F0-6149-BF27-00000000FC01}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264412Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:20.047{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AFD39A09B72202D16D7166097C6CD1,SHA256=93BB4F0E40143A826B37A6AEFC6DF46CFACBD194D637295B9211D809D0083561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:20.081{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50479A66E2C6E8940B29D620BA1A0FC9,SHA256=FB9C7744B62D31EB0546FC46D26AC785F02E37E854FD58CD83F7D3C81BDEF841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264456Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96F1-6149-C127-00000000FC01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264455Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264454Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264453Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264452Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264451Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264450Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264449Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264448Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264447Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264446Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-96F1-6149-C127-00000000FC01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264445Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.594{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96F1-6149-C127-00000000FC01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264444Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.595{C189DCE5-96F1-6149-C127-00000000FC01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264443Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.391{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEEE092DA69C074B24E09605C3986F71,SHA256=9AF91EFBCFC95B8FBAD9E42289342D4F46FE0F58BC0A15EB5136FDD0A5F8A125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264442Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.391{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F2767D0E80A9F9D4E6B233A88335B6,SHA256=77A72EDBD993C421F021BA2B2CFC4048B2C25D6D39C4DEB576426F7451A8636C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264441Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:21.391{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D9B621CCF3AF9B2E4728A12053E3356,SHA256=C392CC6F9AC73FC859C28C95F8B8AEA09661D078A1F02B7A0BAA2CC671CB1155,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:19.492{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local58019-false10.0.1.12-8000- 23542300x8000000000000000303390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:21.100{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46677D87C507C0F257AD86732DE9C52C,SHA256=4F0EAB15938E8886F83522B36B85B4614597303451A44F7719CAAED017CB2CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264472Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.735{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEEE092DA69C074B24E09605C3986F71,SHA256=9AF91EFBCFC95B8FBAD9E42289342D4F46FE0F58BC0A15EB5136FDD0A5F8A125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264471Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.563{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5561BB479372D209E89AA9D8BB20ECA,SHA256=9AC3C71DA2BA31E3D3884CED19F7C2B2C2978753EDBFD609D4D155358BC6E6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:22.115{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0565550C57E961DFB5325FB148027742,SHA256=AA575756D8724EA5805208A16887C3B629BD29D2397D533209FF2378E1DDC080,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264470Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.422{C189DCE5-96F2-6149-C227-00000000FC01}11842516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264469Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96F2-6149-C227-00000000FC01}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264468Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264467Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264466Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264465Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264464Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264463Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264462Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264461Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264460Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264459Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-96F2-6149-C227-00000000FC01}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264458Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.266{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96F2-6149-C227-00000000FC01}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264457Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:22.267{C189DCE5-96F2-6149-C227-00000000FC01}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264473Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:23.563{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65F9C6FCFE8C3D8385B7A00149F3856,SHA256=1E11DA8D5F34A5AEF59BCB701276C583563A95D74F29C757FB4D1C8FD8464388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:23.532{5097E253-96B5-6149-522C-00000000FB01}71446508C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96F3-6149-682C-00000000FB01}4676C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000303401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:25:23.532{5097E253-96F3-6149-682C-00000000FB01}4676\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000303400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:25:23.532{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.9734020935211229156C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000303399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:25:23.532{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.9734020935211229156C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000303398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:23.531{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-96F3-6149-682C-00000000FB01}4676C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:23.531{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96F3-6149-682C-00000000FB01}4676C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:23.531{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-96F3-6149-682C-00000000FB01}4676C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000303395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:25:23.530{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.10427161096204011446C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000303394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:25:23.530{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.10427161096204011446C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000303393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:23.130{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2FC7C7C7928D585874F89656FF1B2A,SHA256=766D0C3AEB006CA005FCCD8FE017FAE5169913271A286871B827E491F0B6929B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264488Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.567{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501BFFE7E97F1B50E6E3FA401B1B02C9,SHA256=5C7AD96E9B2E3B7C6E33D71A122B14BE13A375D035D026952B4C43E155CCC6AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.429{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000303424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.429{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000303423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.429{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000303422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.429{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000303421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.429{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x8000000000000000303420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.429{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000303419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.429{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+27c138b|C:\Program Files\Mozilla Firefox\xul.dll+27b4476|C:\Program Files\Mozilla Firefox\xul.dll+bfe10a|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32 10341000x8000000000000000303418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.429{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x8000000000000000303417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.429{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000303416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 10341000x8000000000000000303408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 10341000x8000000000000000303407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 10341000x8000000000000000303406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.397{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 23542300x8000000000000000303405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.329{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FEC3734D15DC1C5AAC60BDAEEB834E2,SHA256=92EAEB0F6793CD7151C71480DD779D4A91A791276D7B12C256C069F28D3871C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.329{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=092176F7607152E292EA379160E330B8,SHA256=7B0874EAA95947043077C57371340E48967CD66054168E6E70E17EB5048E3C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:24.145{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFFCEBE90027A2D621A12A6CD635D2D,SHA256=7822BA57C2956C1210E271EE5D29FDA829BB3CCC129EDD5D4EE754C7C7041A67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264487Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.505{C189DCE5-96F4-6149-C327-00000000FC01}34842584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264486Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96F4-6149-C327-00000000FC01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264485Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264484Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264483Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264482Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264481Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264480Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264479Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264478Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264477Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264476Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-96F4-6149-C327-00000000FC01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264475Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96F4-6149-C327-00000000FC01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264474Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.349{C189DCE5-96F4-6149-C327-00000000FC01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264504Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.645{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03515FD9E650D413E8E0DF8927E2C36,SHA256=C5C8EBBD9AF5CEDD018ADE463565004B577BA98D0B81A571451046010110DE50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:22.811{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local61080-false142.250.185.99fra16s49-in-f3.1e100.net443https 23542300x8000000000000000303427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:25.459{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FEC3734D15DC1C5AAC60BDAEEB834E2,SHA256=92EAEB0F6793CD7151C71480DD779D4A91A791276D7B12C256C069F28D3871C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:25.459{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004209A35F869E6C517A015778CD1741,SHA256=E235CDE9AE0E0DFE2AE3CD54A974AB54EE82C286DEBBC337DCDFA86CF9E75E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264503Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.364{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D54A31DA25B3C47B70BFD6DF4DA64504,SHA256=87155FBCE02E659E847A06BFF58B6D6A7510FB8043BDC3C07EED1F1FD9AD493C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264502Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.161{C189DCE5-96F5-6149-C427-00000000FC01}29442916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264501Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96F5-6149-C427-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264500Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264499Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264498Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264497Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264496Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264495Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264494Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264493Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264492Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264491Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-96F5-6149-C427-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264490Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.020{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96F5-6149-C427-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264489Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:25.021{C189DCE5-96F5-6149-C427-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264519Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.692{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF885D0279F1125BC5BDA935A99D4876,SHA256=9998E1A9642ACB2ACCBBB787A74B4A25EAD8D33AB1B6F2D852A32E28F03EAB5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.981{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c 10341000x8000000000000000303436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.981{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c 10341000x8000000000000000303435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.981{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c 10341000x8000000000000000303434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.539{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 10341000x8000000000000000303433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.539{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 10341000x8000000000000000303432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.539{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 23542300x8000000000000000303431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.471{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422226EDAD611077A5982978B2D380BF,SHA256=7EEE3FCC0285B979408969C6F32E451941FABFC3ED570F5BBFB6CD9EA26F2E6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264518Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:24.535{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000264517Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-96F6-6149-C527-00000000FC01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264516Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264515Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264514Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264513Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264512Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264511Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264510Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264509Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264508Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264507Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-96F6-6149-C527-00000000FC01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264506Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-96F6-6149-C527-00000000FC01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264505Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:26.224{C189DCE5-96F6-6149-C527-00000000FC01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000303430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.227{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 10341000x8000000000000000303429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.178{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 23542300x8000000000000000264521Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:27.708{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5210DEE3D1203AE241BBE0A0C9B426FA,SHA256=4D977A92F0E342ACBF402D912FC348A91B091F84F8E31AB56AA4EC4EB93FD51E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:25.665{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local61083-false142.250.181.227fra16s56-in-f3.1e100.net80http 354300x8000000000000000303446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:25.664{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61861- 23542300x8000000000000000303445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.581{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\uninstall_ping_308046B0AF4A39CB_ce6692af-cabd-493f-8954-6e7854008bd7.jsonMD5=A408BA4F79BDE15584CEDFF6F33AE3B8,SHA256=36281DC7FD4D7B341E8E0E92DD979967820A0D0C86B4ACE120CD0DEB55BE1B24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:25.640{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local64774-false142.250.181.228fra16s56-in-f4.1e100.net443https 354300x8000000000000000303443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:25.639{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64773- 23542300x8000000000000000303442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.553{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\session-state.jsonMD5=8A1FDD6918CB44C77C87831037416006,SHA256=A5126533E778DAA770E65BE209C87F98C81A0C23E41035AEEEFC40402EE83644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.480{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F037CB6DABCB8D557272096844D3AE,SHA256=89BD6131E481AC57C86F308196706400E86E7D722B7303A6B0EE02A7A2CA1E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264520Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:27.239{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32EF03CAC7ED5F539F829F03FD7E0009,SHA256=92DC5E4C30EB1AD91DBEA516BF2BDBF647E87AC7AC5E18B770969DEBCDE6C017,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.361{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 354300x8000000000000000303439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:25.505{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61082-false10.0.1.12-8000- 23542300x8000000000000000303438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.245{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=008BC3DDBA624FC0DA932916BAECFABF,SHA256=EEA9E1EE30657338983ADA64675D5E074C6A86B8969C72259F659A1DF7F2F4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264522Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:28.786{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E183E5A12EF0575928B1ACB7010F77F3,SHA256=52BB1BEC8A2ECB40723405C4EF95FCBF89BB5A5C702C024AE376CA10E27CF8B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.085{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local61085-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000303482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.081{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local61084-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 23542300x8000000000000000303481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.726{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DB727E6299E270BEEBEE78823D4E594D,SHA256=FB2611B9C0580F30BD62F1AB941D5578481D32FCF3F29B412EDFC497D722BCAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.706{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000303479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.688{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.684{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F55DEBF2BC4AEF7190B5BD6807B0F188,SHA256=E6F76CAD2B69D1C1D8F3DA08DBB0DA5765163AFFFA3C8DCAB9AF3856CFA1F4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.649{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCFC7D8AB6807D559C335B33542C6AB5,SHA256=1EB5700D825B980E487BF05EC7D8751CB4E379DF7DBCA14E21075AD4C5CF74AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.628{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000303475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.628{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x8000000000000000303474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.612{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.611{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.611{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.611{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.599{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.599{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.595{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.594{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.594{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.594{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.593{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.592{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.580{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000303461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.579{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000303460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.579{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000303459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.571{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.533{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.529{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage.sqlite-journalMD5=9810A53A58126F752E3AB0D7FBED13E6,SHA256=C1D97731219CC1A001BA64752E98733C1491E97A50868B643BC5546AD34CE5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.502{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\protections.sqlite-journalMD5=0988F758A0C1E1AF8F2BF300E719CE44,SHA256=96BAC8EC9D82128046232152FE74B7B27A816B0A508477855070E99E6631F4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.489{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE4366162E08D20F31D9F075B004DA2,SHA256=2B720F03778C390174030007106FEF380180D545F0BA5FA604A11D05F3E73EA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.480{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e4901f|C:\Program Files\Mozilla Firefox\xul.dll+e3814d|C:\Program Files\Mozilla Firefox\xul.dll+403a1c3|C:\Program Files\Mozilla Firefox\xul.dll+229b601|C:\Program Files\Mozilla Firefox\xul.dll+9df490|C:\Program Files\Mozilla Firefox\xul.dll+9a4d81|C:\Program Files\Mozilla Firefox\xul.dll+19dccd|C:\Program Files\Mozilla Firefox\xul.dll+9e2597|C:\Program Files\Mozilla Firefox\xul.dll+9ad29d|C:\Program Files\Mozilla Firefox\xul.dll+9aff51|C:\Program Files\Mozilla Firefox\xul.dll+9aed7e|C:\Program Files\Mozilla Firefox\xul.dll+9ae0de|C:\Program Files\Mozilla Firefox\xul.dll+9b7f1b|C:\Program Files\Mozilla Firefox\xul.dll+900933|C:\Program Files\Mozilla Firefox\xul.dll+89f837|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f 10341000x8000000000000000303453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.452{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+fdc990|C:\Program Files\Mozilla Firefox\xul.dll+fcd08b|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd13be|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd13be|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4 10341000x8000000000000000303452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.452{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000303451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.420{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 22542200x8000000000000000303450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.331{5097E253-96BA-6149-5C2C-00000000FB01}7760www.google.com02a00:1450:4001:82f::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.329{5097E253-96BA-6149-5C2C-00000000FB01}7760www.google.com0142.250.181.228;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:26.329{5097E253-96BA-6149-5C2C-00000000FB01}7760www.google.com0::ffff:142.250.181.228;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000264523Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:29.849{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE24F577729170148FB6EC73DAA607AF,SHA256=818101E917AD2883B7DC2E8140FE064D7F25A2F36DDDB2D9A4B9104CC5221B47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.962{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local58870-false142.250.184.238fra24s12-in-f14.1e100.net443https 354300x8000000000000000303553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.898{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local61087-false35.244.247.133133.247.244.35.bc.googleusercontent.com443https 354300x8000000000000000303552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.896{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-64204-false127.0.0.1-53domain 10341000x8000000000000000303551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.722{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.722{5097E253-8792-6149-AA29-00000000FB01}48161016C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.722{5097E253-8792-6149-AA29-00000000FB01}48161016C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.721{5097E253-8792-6149-AA29-00000000FB01}48161016C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.720{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC53192F8162CAADF27763836ACE9D1,SHA256=1641B0EAB48CA1E49490C2B3B96746CA906B82C7197D316F2FAA343D29B3BEFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.714{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.714{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.714{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.714{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.706{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=070CEAD547C8675749E4F2C744F48954,SHA256=8C7E50BBE1B2AA44AE8EB3658338156760117DE2D1DFD9B415130C6A7E8CE6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.705{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84467CFE75646D888DCCB5203A4170B4,SHA256=23A7AC40C0E479BA6019A2EE37FCB818274781BBDD73F730011EAE4EA676CE05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.633{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.632{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.589{5097E253-96BA-6149-5C2C-00000000FB01}77603620C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000303537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.882{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local64951-false142.250.185.99fra16s49-in-f3.1e100.net443https 354300x8000000000000000303536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.828{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64204- 354300x8000000000000000303535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.827{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:100:0:98e0:83f8:86a1:ffff-64204-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000303534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.804{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64950- 354300x8000000000000000303533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.804{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63526- 354300x8000000000000000303532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.802{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64204- 354300x8000000000000000303531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.706{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local61086-false142.250.184.206fra24s11-in-f14.1e100.net80http 354300x8000000000000000303530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.705{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59942- 354300x8000000000000000303529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.704{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53717- 354300x8000000000000000303528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:27.701{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62679- 10341000x8000000000000000303527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.578{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.577{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.571{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.571{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.559{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000303522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:25:29.559{5097E253-96BA-6149-5C2C-00000000FB01}7760\cubeb-pipe-7760-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000303521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:25:29.559{5097E253-96BA-6149-5C2C-00000000FB01}7760\cubeb-pipe-7760-3C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.548{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.546{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000303518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:25:29.546{5097E253-96BB-6149-5D2C-00000000FB01}5892\chrome.7760.8.191067955C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.546{5097E253-96BA-6149-5C2C-00000000FB01}77604660C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000303516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:25:29.546{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.8.191067955C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000303515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:25:29.545{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.7.145045897C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.544{5097E253-96BA-6149-5C2C-00000000FB01}77607424C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000303513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:25:29.543{5097E253-96BA-6149-5C2C-00000000FB01}7760\gecko-crash-server-pipe.7760C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.500{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.500{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x8000000000000000303510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.500{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.500{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000303497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000303496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.499{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.498{5097E253-96BA-6149-5C2C-00000000FB01}77604660C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.493{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.493{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.493{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.493{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.492{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.492{5097E253-96BA-6149-5C2C-00000000FB01}77605700C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:29.492{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7760.7.1450458970\1838286537" -childID 4 -isForBrowser -prefsHandle 4420 -prefMapHandle 3472 -prefsLen 8924 -prefMapSize 244994 -jsInit 1188 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 7760 "\\.\pipe\gecko-crash-server-pipe.7760" 1680 1b608f05138 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000303486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:25:29.481{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.7.145045897C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.394{5097E253-96BA-6149-5C2C-00000000FB01}7760google.com0142.250.184.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.394{5097E253-96BA-6149-5C2C-00000000FB01}7760google.com0::ffff:142.250.184.206;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000264527Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:30.864{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6353B1E5081A27FD70E61E841954FFBC,SHA256=41EB5D3FD2E88EA06A2C9FB9ADCF5248A7D96C6FADE0CCCCB1168E0DE5A123AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:30.744{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6EE88017BACFD2404BA192718A8B1A,SHA256=7778F729CF01340C3D58795387BA5745791668452F2FF6037FA3EEB9D12D834C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264526Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:28.838{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51121-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000264525Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:28.581{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com10345-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000264524Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:30.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65E66F8906179814AD7556EE423BA8AE,SHA256=018CAA43C1798DFB841DAB745489B88340A0D09419DA1A5D4B69A708BBADCC09,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000303558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.654{5097E253-96BA-6149-5C2C-00000000FB01}7760plus.l.google.com02a00:1450:4001:829::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.652{5097E253-96BA-6149-5C2C-00000000FB01}7760plus.l.google.com0142.250.184.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.651{5097E253-96BA-6149-5C2C-00000000FB01}7760apis.google.com0type: 5 plus.l.google.com;::ffff:142.250.184.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000303555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.397{5097E253-96BA-6149-5C2C-00000000FB01}7760google.com02a00:1450:4001:80f::200e;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000264529Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:31.927{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362BB18B2BE67BE1F53A3126BE0CA819,SHA256=4E3BD8628ABB0FD897ACA80D282A87A4F2D030E07CD125E9B39EB47AEAC26616,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:28.702{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51121-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000303561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:31.748{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4989059F57FF45F3D8C04ADEC89D21,SHA256=F39391D28B340200A1E90F1A03F86B1EBBCDBDC4075DE0D964291CB2A23EB7B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264528Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:29.582{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000303560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:31.012{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1260083F8C63D1FCD99B2CFE84C6D514,SHA256=E16A16454F8814A879A76DAE1FD0405B7011482CA07D19E4AABE9978552AF1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264530Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:32.942{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866C6B7D4ED95DB5DAA636C6C67AC864,SHA256=D9AFBA30FA907A50703EE084838A8046D857D247305113AA99D2285A340BA345,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:30.536{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61089-false10.0.1.12-8000- 23542300x8000000000000000303563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:32.752{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81ECD7F0EA696D8663BABF64D6D67EC0,SHA256=98FB980AEF966005A02E9DCB7036AB27757CA82190805F6B938AE8AB25E22526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:33.756{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E59E5488FCEDA095B22F2E7BD8AA03,SHA256=DF91D8034644F044D9D670C7F40F794C6B8EC2CFC55BA24FD1C95EF0272EB1D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:33.537{5097E253-96B7-6149-542C-00000000FB01}5960ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State~RF51bafc2.TMPMD5=7637B25C5823C9E3EB3914156B8EDD90,SHA256=ABA78812CF186A4C0D60BF1B4C7AB86715E3FC9BA1898B157F26293D9D38D53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:33.505{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51bafa3.TMPMD5=F6F7F7DDF2B8C66DF017EB493935531A,SHA256=8D58D2CB2C137CD80DA3C1633FE25A9CB10EC4E407AFF4510CDF941D55166EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:33.305{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF51baed8.TMPMD5=D1C19633DA46DEFDBE4BBDF2B645D0EF,SHA256=676B3E5355FD4DE222FF50353C47517C7CF5DEDD2525B53CD3338151340E91D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:34.832{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1849265CBC49E2CA3E35A640A518019,SHA256=A558AC4EB8678207CD1D28CEA89B64A7645893B1C3D534B18F16325192421A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:34.831{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77EE4F9C3520301A1126D5C29614DA09,SHA256=206F2C1B6E052FE6433DAFE16B2104400C168E71619517FE6AC780364499DBC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264531Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:34.005{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2899EC2BF9CB293C6CC48F02DF7465,SHA256=23FBE9716277A988F5773BEE94E1741C2F3403C0C82C78BC73AADCBE7CDB5605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.844{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D5B46C7DA541C409A7C629EA8100E9,SHA256=83279C671039E560DD85C5DF80D7FF96E223504D56BFB4F60B8F7227F65B7806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264532Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:35.020{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36AEE9672ABA0F79C97C991893B1BEC,SHA256=6A3D055393A81924FECEA999D8CEB2C7E6EF4CA5E3979AA4ECA3308A772BB8B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.722{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000303586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.721{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000303585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.696{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.695{5097E253-8792-6149-AA29-00000000FB01}48161016C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.695{5097E253-8792-6149-AA29-00000000FB01}48161016C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.695{5097E253-8792-6149-AA29-00000000FB01}48161016C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.689{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.689{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.689{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.689{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.473{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-8ACB-6149-912A-00000000FB01}7564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000303576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.452{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-96FF-6149-6A2C-00000000FB01}332C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.452{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-96FF-6149-6A2C-00000000FB01}332C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.447{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96FF-6149-6A2C-00000000FB01}332C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.436{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-96FF-6149-6A2C-00000000FB01}332C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.434{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-96FF-6149-6A2C-00000000FB01}332C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:35.433{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96FF-6149-6A2C-00000000FB01}332C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:36.848{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE45F3AEA7090DFE08E55F82532BFFCA,SHA256=F30FFFDD4D45AAD1F5236CB3593133C2AB205F3C0D44830E15E5547338EEE5DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264535Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:34.675{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264534Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:36.708{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264533Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:36.036{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D2E0DC7C12E24061B5BCF4BFB680B7,SHA256=3C5EA28589FD1310CD8F6C7F6EBDD3D2E1AF115CA9362887DA028E939E7B760A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:36.803{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:37.853{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBBBEED1BEF4C727E80C1B35C91CCF79,SHA256=2B8E5D9E7E7BAB73C6C9A9513D15DCE76986A91951622558BA06A54C14F646FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264536Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:37.052{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC18F4B45AFE2702D98BF594C6F5464,SHA256=3FF2E89B12ED0344A86A5A4839B3CF469375E1515CAEB2CB7AF6A8C203D4EFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:38.857{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1754A2F65434E20EA101B5712B8220CB,SHA256=6D633D8E537D9362AA04FB1013093A524A942525C385E0C6CF4BCA70F915F954,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264538Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:36.160{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000264537Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:38.067{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC2376BE1DC6A97CD787D698CAEBE63,SHA256=C729B3D99BD41DCDE5CE59953EA01A192AF716827C1263C6D4A100629612E43A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:36.097{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61091-false10.0.1.12-8089- 23542300x8000000000000000303595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:39.865{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D615C1ACB4CB446C105FD9DB95FF26,SHA256=2E289E7915A59C747D312D8ABF23E33CE53E18B87A756FD8A01EABD837A1B9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264539Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:39.067{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBDF278CF35D73F803EAA94916093BB,SHA256=40F7D4DBEE37BDB6C595276B1D945E65DACE9A3E210775CCDAF18CD1B3577253,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:36.481{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61092-false10.0.1.12-8000- 23542300x8000000000000000303596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:40.872{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217A04CA953715D4A8B315C9B7276CE6,SHA256=8E366D00E1A840124A658E3635A66950B296719D65E924166FBAD6E4FA0571BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264540Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:40.083{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC73DA1B1CC49C418DE007866FE032E,SHA256=E4E54028F72A7C5099060AB5C38B3CFB53E6E1BF9D2CE811FCB3F25DD97ABB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:41.880{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843D15C692887CD12EC171A8E8D36D05,SHA256=73480DA245590004B26DE6BC587A862E92A3968232D45007814DDB8DC07FD297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264541Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:41.130{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46339F444F8ACFA6480A896775B65B7E,SHA256=77C3B8A7108BDCEEF38F9043645205BAE3EEDFA2DE6A25CFBE06A89BD40ABAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:42.885{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D113C195477DF1224E4B4C5841E4B38A,SHA256=5DD4D2277DA5DD8C22A8B687D75607C642C0886B2E3D6154EF91475F69CDF105,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264543Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:40.644{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264542Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:42.145{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D89247375D3ED384D9D1B5D3616F5B4,SHA256=06C8F8E6C12401A3DFCDE489F0EFBF28B7A901B483B8653E0E13B75F95A5A84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:43.890{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B319F8C977975A9FD661BAB3B8AD66,SHA256=014D23EAFB7D1C46E032E2E8D632B87A5E072B969F2B1F0272BF7BE867A50F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264544Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:43.161{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4584FD88F711B690BD8F51250BFEF8,SHA256=090B028816B53DB2F6F0389CC2460B5FE1B6380C0617C2C1EB55CF5E39D5C185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:44.894{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9AC0DA0EBB03428C0B098EAD5B6731,SHA256=F659D847FBD13676DAF01DB9D1BFCBABF838B236C46FF718B88E6E174CC40860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264545Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:44.197{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1301D17A8ED0FF2106AEEC3817E8BCFE,SHA256=6AA1DF7583E9778999173CC1B6F44C62810909F9F0D4A8E263A3586DF877CD0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:42.438{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61094-false10.0.1.12-8000- 23542300x8000000000000000303604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:44.799{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=6EDA291A4053DC10F1125863E6CA4102,SHA256=70C7E2AA3F4CB01F871159F55DCEE6ABBA6619F09AC08049FB0E92DBD42CA6D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:44.798{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=FF01BF574959B96FB8BCB2AEF6B7ECE4,SHA256=B31A316D033D8A390A96D6F027B5DA24DB8D863FCD162B83C508107B708BB3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:44.796{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=04A8595F84B1351A3D166D47C40310CF,SHA256=1DA4FB12E9C5E8327397E9EECDE70DC2252B4CF7E87915C8AA27A80DD7D0F83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:44.795{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=A21829E8DECA6364D8C9C86953C35E85,SHA256=3FE5DB213839B7B585ADFF7677F2D408CB11D2FAB00BAEA1265B6FDB7791C0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:44.794{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=D933208460F319E747A661BF002EEECB,SHA256=C0FF5E416AD53A6537CC4EBB69C61DA9EDF0DC05E7136D9FE918CA4D7BFE5E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264546Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:45.212{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827E8C29D7DA4134D973C7E1A73FA6AF,SHA256=7CE181B76A396C3DC4AD0B9E0A02CFEEB1718507A932EA28A31D08E71CE340D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264547Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:46.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E839CF357B08A9251A26A4A82F1BF32,SHA256=6FC6119FA807401E349CFB21967129D39159C903D205E5C9EC027E44D292D673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:46.030{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03CD6F2965A3B424D2876A41508DA1D1,SHA256=18070E2369947CABFE0F7EE86CA0C55C9E430B25230004472AB18BEC8C6CFD95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:46.025{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89AC9D8E581C14433B2EF527CFB9402D,SHA256=D116B2E67E60A3412315688A32C22D2A945FAEEF01F7A4D4F86EBBF729044B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:46.025{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CEEEEA8C6C70A3B7F23C727C292F80,SHA256=FA9A20BBA475C36455DF9757DF6262900D2A059CF3C244B7D2E5042005CCE02F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264549Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:45.695{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264548Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:47.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D9DDFEBA420B1787590BDF73AF84FE,SHA256=BBC942B4D4D34B1AB313614EF7F21CE71EFB299888C570DA866A15A3AA7C276A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:47.036{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BEA9B1B04CD160A70CFC434306077E,SHA256=59B8286A6C293FCEBDDE6C97128619FC7BB0B48EC15CB8A7281D8F7E96EF55F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264550Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:48.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10352F43C09CD94A369D643DB3F096E3,SHA256=CB83D93047F1675265F900344EE3E2042B6FF8F95E398028E78CBB06744ACE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:48.544{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51bea5a.TMPMD5=116A3297EE846B428AB23018316A473C,SHA256=842B114F596E804AA798EC3B07323D6D57F0E1E013D0CBE92EC4F676AC26553F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:48.041{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92ED05CA07B519EA3F7CC95AE182401B,SHA256=36A1935AE34EB1B2E0FE426144AFD081EDAA5B4571B553E7FCBE900C7CFFD383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264551Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:49.290{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1F292010401BA0A7C51AA772AD864C,SHA256=8730CB15DDEC720CD8ACDDD0F523EA877D7694BE7511A1D835F7C85E494944C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:47.557{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61095-false10.0.1.12-8000- 23542300x8000000000000000303614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:49.541{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03CD6F2965A3B424D2876A41508DA1D1,SHA256=18070E2369947CABFE0F7EE86CA0C55C9E430B25230004472AB18BEC8C6CFD95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:49.048{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C3B67FA62E6ED927E09543D1EFDB5C,SHA256=F16B762AE990217216F3B5E526D99F3D8C44FA80093DBCCD10D8240694D6D2F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264552Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:50.337{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F598AE1C74E6F995157E87047CAE1C,SHA256=D72B409F5802B5F1C6B977B53C572980BF251B5036D746768501AEBE9B40DAD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:50.056{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86714051A23E928788692C331C4170F3,SHA256=89C8A49F9A45158A2E1194AFD75E9321FC7BB8AF169102F003B10A333712F199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264553Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:51.400{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CF47063948E805F338BD90CAED8026,SHA256=20BAAD3BEB7644998547B1DC63344DB6E90CDD23E109FAEEF10AE26092F2DD0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000303618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:51.358{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\Screens\4.png2021-09-21 08:25:51.358 23542300x8000000000000000303617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:51.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A587427E246675DCE8F851BC836671,SHA256=1BB5042C7390B63157773E611460227FE3C6F319783127DAB5A33CBC3198ACB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264554Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:52.400{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0967301152E121939986EDDF2A1BA6D5,SHA256=464FD3B3133C47B8EDCC47A0A2F48A0B1807F00498EFE176EACD3756F3142115,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:52.501{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9710-6149-6B2C-00000000FB01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:52.499{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:52.499{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:52.499{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:52.499{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:52.498{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9710-6149-6B2C-00000000FB01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:52.498{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9710-6149-6B2C-00000000FB01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:52.493{5097E253-9710-6149-6B2C-00000000FB01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:52.066{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86040EB0EE6AEAD3001A69B0EF58160B,SHA256=00C7E5A360E9A640DD9FDBD1BA24CC0C85F76253325A760F2DFC68093BD2A1B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264556Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:51.539{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264555Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:53.431{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62AAD80D420B62D1E9A70442F4A82D98,SHA256=3D020A3FA08B43A281CDB7463183FD54C610D5F8700CC171FB84637C48EF6694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.996{5097E253-9711-6149-6D2C-00000000FB01}75965520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.856{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9711-6149-6D2C-00000000FB01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.854{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.854{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.853{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.853{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.853{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9711-6149-6D2C-00000000FB01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.853{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9711-6149-6D2C-00000000FB01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.848{5097E253-9711-6149-6D2C-00000000FB01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000303636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.174{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9711-6149-6C2C-00000000FB01}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.172{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.172{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.172{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.172{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.171{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9711-6149-6C2C-00000000FB01}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.171{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9711-6149-6C2C-00000000FB01}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.166{5097E253-9711-6149-6C2C-00000000FB01}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.076{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9F8B12AFD9FB0A6BD23E8C1C6762A3,SHA256=7441E429766016EE825CB8BA7ED0F91358FBC298DFE474AEB079D1CC149D08AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264557Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:54.447{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588652107A1295169807919F66C0E4BB,SHA256=ACF0DA0EE09A357F76EA9A874E23051996CD06D86C50187656F21F96FAE5F11E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:54.721{5097E253-9712-6149-6E2C-00000000FB01}47605164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:54.519{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9712-6149-6E2C-00000000FB01}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:54.518{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:54.517{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:54.517{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:54.517{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:54.517{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9712-6149-6E2C-00000000FB01}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:54.517{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9712-6149-6E2C-00000000FB01}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:54.512{5097E253-9712-6149-6E2C-00000000FB01}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:54.086{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FFB13DB195423DF58721184D865641,SHA256=13DEF5F1FC05072FAEB70C91A2A5A67AFD52BA132DC1A119EC0D7CBC1BD16D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264558Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:55.448{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69140185ED1B9B23BF4C732C10046028,SHA256=EC193AD145E93D51E29CC3441116B7EC0811E9CE042E6095D0E63FBF82AC9D3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.867{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9713-6149-702C-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.864{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.864{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.863{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.863{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.863{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9713-6149-702C-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.863{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9713-6149-702C-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.858{5097E253-9713-6149-702C-00000000FB01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000303665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.373{5097E253-9713-6149-6F2C-00000000FB01}7052940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.202{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9713-6149-6F2C-00000000FB01}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.199{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.199{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.199{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.199{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.199{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9713-6149-6F2C-00000000FB01}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.198{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9713-6149-6F2C-00000000FB01}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.194{5097E253-9713-6149-6F2C-00000000FB01}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:55.096{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17988738204314BCC8216472F1FDF4D,SHA256=20330CBBA75A0C22377544517238390348AF1109D7C5D757B8FEA1970A10524D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264559Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:56.464{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027A2D1BC4FD09196C664F4B71A3B540,SHA256=1F8E91B7CC1033042A556FF40E2780A2AC996745176EBEA4EFCFEB9361867CC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:53.437{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61097-false10.0.1.12-8000- 23542300x8000000000000000303675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:56.105{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4809BCB2D170816741F8E073254DCC6,SHA256=692267000C18834D284F3C267DF040777E523CC5739FF424C31FF1CF0361BD39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:56.023{5097E253-9713-6149-702C-00000000FB01}10207924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000264560Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:57.479{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C74C91DA595BEB113E99FDD3F87BDCE,SHA256=7888A0F16D7F4B055CEB67908BC1A5955A4FD779AEF9710AB547B2DDB9E74E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:57.108{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB1F86D740FF67996BA667C34BEAC9D,SHA256=ED8EE28E4A456559DD19A3E9E9686848FB0F2D347139AE2DE2E050FBD398F89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264561Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:58.495{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51481168A131E2AF908C33C6231BE5B8,SHA256=DCBFD85A2C97AA0DD012C8485E1BC78D6B709ADB701AD68F568BA7C4D0825249,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:56.026{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61099-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000303679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:56.026{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61099-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000303678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:58.112{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D19A0358B346EF5B698126E66219256,SHA256=D9246F284E36E5051E5E4AE3281C0A514592074C126117EF70B9E7DAB9E8F850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264563Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:59.510{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECD1E59668CAA313D413C86A606A4F7,SHA256=4832BC66D6DCF8CCE1EF81E1F8F695C07FF693834CEA37341B69032C4BE0F9EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:59.627{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9717-6149-712C-00000000FB01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:59.627{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:59.627{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:59.627{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:59.627{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:59.627{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9717-6149-712C-00000000FB01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:59.627{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9717-6149-712C-00000000FB01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:59.628{5097E253-9717-6149-712C-00000000FB01}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:59.127{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC94D27F984D11A828A71A71B7B04C9,SHA256=EB95B9E25DC52F5651B8E7FE37709D007600B10516D10A5425ABBF72DB6EB702,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264562Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:25:56.681{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264564Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:00.526{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280E86B8A34F1FE69C4D73340B2C772D,SHA256=566A12A7CB5FE988AE8A0F8089E15C2EB68FEAA72FB2E680CF28CBAF75D2EF1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:25:58.468{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61100-false10.0.1.12-8000- 23542300x8000000000000000303690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:00.142{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25EA9A44C7C81C3488C46F99FEB3A1B,SHA256=8A3375160EEACBFA1565C3EC2C36E89D00E7719AEEBB40DE5E83C809D1146FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264565Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:01.526{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863A7B3608C7A2521602AD0F92E42463,SHA256=EB7124B7A77C97DABD2BB60E0942E308405D23AD818C71A9FF3E276820520736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:01.172{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF1E48A6D4DD0C5CBFF05B0BF8051AA,SHA256=909F9F6825192E9778BE23409CBB857ED5011E0FF98067EC3FECD153FF279B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264566Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:02.542{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EB8CA5F380C6CB29E893F6D6E0E8CD,SHA256=F9A20EFB07DF4AAD71E3BA8846BFAF8A529801136B555E20BD888D9429CF972A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:02.823{5097E253-8ACB-6149-912A-00000000FB01}7564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=AA70E19E77EFE78AC440467950B22AAD,SHA256=664BE24CA1E5EE3114479DD0EB6C8250AE8FF33D3DBD5E4CB94C34E02292FD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:02.186{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4523A7F6875A74AD567A5CD5BB4E72,SHA256=1171106E0B299A7E35D9992251DC75C63AC333FC8D42501D8DBC7BF1E7873477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264568Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:03.557{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064CEB05666AAAEACE131DDAB21174FB,SHA256=9FA87A2DE6B441AD4A67899B5BC39E6A06C0A4E52141EDB95830C2D95604C584,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:03.509{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x8000000000000000303697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:03.486{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 10341000x8000000000000000303696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:03.486{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 23542300x8000000000000000303695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:03.204{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE327E48797D669B7A7241D0AAEA6920,SHA256=6A78F6D4DBB96A203A42CF21691340A46834E07EBC05AA0631E1AE03ADC54AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264567Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:03.354{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=03E7F76EC91C4C5D6198C8293D2AC779,SHA256=900D9D97DFA7A7593DD74C765C377602D35760EF552545719DCD6D951F239F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.930{5097E253-971C-6149-722C-00000000FB01}7100ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\saved-telemetry-pings\ef4aa0ad-4906-451d-a4e2-c3f929495949MD5=9B8D69227383901657AB860DE167553A,SHA256=46169DB71EADD54A900018BE91E2F4A243D41E8B8F6889E89764F2EB8975105A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.664{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.664{5097E253-8792-6149-AA29-00000000FB01}48163452C:\Windows\Explorer.EXE{5097E253-971C-6149-722C-00000000FB01}7100C:\Program Files\Mozilla Firefox\pingsender.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A5CC7)|UNKNOWN(FFFFEA35CD4A0351)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000303762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.664{5097E253-8792-6149-AA29-00000000FB01}48163452C:\Windows\Explorer.EXE{5097E253-971C-6149-722C-00000000FB01}7100C:\Program Files\Mozilla Firefox\pingsender.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A5CC7)|UNKNOWN(FFFFEA35CD4A0351)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.664{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-971C-6149-722C-00000000FB01}7100C:\Program Files\Mozilla Firefox\pingsender.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.664{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-971C-6149-722C-00000000FB01}7100C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.649{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-971C-6149-722C-00000000FB01}7100C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.649{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-971C-6149-722C-00000000FB01}7100C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.606{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.606{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E623286FDA4D1DEBAED44202899755C,SHA256=31424E46EA74B900734422FEA8877E8581B4F1E53EE3358FA92494D7E1B6DDA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.586{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11D9619D3ACAE132A721A6A07B51196E,SHA256=C71ADA4397D3AB69E52572F84F9C99A787A57E86969936F0144E47F18B01BE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.570{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F450B2DE5D8A430320DAF53CA9AE6A9,SHA256=15800B56DE2AA9F75D1E8E38889CA5F4462261FE70C442E04495F8085127CB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.570{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=3FF377F5EC703D491206D86F5EB61EAD,SHA256=FCEA796063BC436FDD2E125BF11312D02ACE8A7A0F8EBFAFB35DBA0E5761BCD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264570Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:04.570{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D0899B67226FE61DB61249EA988F49,SHA256=776EACE04EA211A84F9B0DC4C2B0442731224F41A91BE004CDF80D124CCB19E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.555{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-971C-6149-732C-00000000FB01}6120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.555{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-971C-6149-732C-00000000FB01}6120C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.539{5097E253-971C-6149-732C-00000000FB01}6120860C:\Windows\system32\conhost.exe{5097E253-971C-6149-722C-00000000FB01}7100C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.539{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-971C-6149-732C-00000000FB01}6120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.523{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.523{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.523{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.523{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.523{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-971C-6149-722C-00000000FB01}7100C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.523{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-971C-6149-722C-00000000FB01}7100C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+2011fdf|C:\Program Files\Mozilla Firefox\xul.dll+2011df5|C:\Program Files\Mozilla Firefox\xul.dll+2011e41|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+14a9f5|C:\Program Files\Mozilla Firefox\xul.dll+14c453e|UNKNOWN(000002E98D874A10) 154100x8000000000000000303741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.537{5097E253-971C-6149-722C-00000000FB01}7100C:\Program Files\Mozilla Firefox\pingsender.exe92.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/ef4aa0ad-4906-451d-a4e2-c3f929495949/event/Firefox/92.0/release/20210903235534?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\saved-telemetry-pings\ef4aa0ad-4906-451d-a4e2-c3f929495949 https://incoming.telemetry.mozilla.org/submit/telemetry/6905d3e3-8664-4969-88ff-cd2c72161a31/main/Firefox/92.0/release/20210903235534?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\saved-telemetry-pings\6905d3e3-8664-4969-88ff-cd2c72161a31C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2MediumMD5=8A5233CE7A88489D05FEF9BB7AE52572,SHA256=0888DF51AA62CAF8E02C97564FF4BDCEDCF8CC0B6091753F7D9D4389689BA825,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x8000000000000000303740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.523{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\aborted-session-pingMD5=4D1D0EF3562BAC15A1212BC623A3970D,SHA256=703DED1FA97CED5E7B0FB42F7151E4D55990728B6810D91A83BD1B3A111FA715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.486{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage.sqlite-journalMD5=C8C75861E89C674456AF728074DB2B12,SHA256=77D69AC2B14A0607DF34FB561CF49E9E80D2DAF96C780EC46311A105E59C91E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.486{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\xulstore.jsonMD5=DD6AD0D5F3D669B99707450351612CAA,SHA256=3EE0E203477EADCFA3D0E7B62B4064B95878F1A0E1844539A857BA96A08D2669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.486{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cookies.sqlite-walMD5=1B432660D25D5CD80BDA8CA0187F8A12,SHA256=12795BEF178CD3CE372629735020556EB7D4414ED46F26F85F72AAFB532656F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.486{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cookies.sqlite-shmMD5=6ADB49E879A702944DA5D19DA09185E9,SHA256=40A87D8C33215AB62B9184ED0AFF44B4C107EAF68E7EC7C8A619ED8CFF997DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.470{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\favicons.sqlite-walMD5=98027DF17E8D9A3A41011AAB76301CD6,SHA256=26178467FA10028A1E4FEE15ABB4AEC09350A7C99AEE26AE7F9147B14BDEDA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.470{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\favicons.sqlite-shmMD5=30AB38290808EDB20F35CC9169C70B2D,SHA256=0F94CD1C96D5487009795CE14E7D0371E15786717FAD7CD0B1C8FF37223E70F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.470{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\places.sqlite-walMD5=C03A723A8615DFAD6A042E87E9C05914,SHA256=BB6396B7DCD8D4FB35C0A79663315EFE17C26CB12842841535AF996FB943543A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.454{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\places.sqlite-shmMD5=6507978BDB71C038813BEE4260AABB68,SHA256=1EA790A9301B17BE0F8E57657D82BF6E384C81D4D5E8ED5F87BD9CB13DE67F4A,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000303731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:26:04.454{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.12.122618635C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000303730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:26:04.454{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.11.148812757C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.439{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+13b3ea|C:\Program Files\Mozilla Firefox\xul.dll+1272353|C:\Program Files\Mozilla Firefox\xul.dll+1b6754f|C:\Program Files\Mozilla Firefox\xul.dll+1b5e39d|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(000002E98D871E84) 10341000x8000000000000000303728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.439{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+13b3ea|C:\Program Files\Mozilla Firefox\xul.dll+1272353|C:\Program Files\Mozilla Firefox\xul.dll+1b6754f|C:\Program Files\Mozilla Firefox\xul.dll+1b5e39d|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(000002E98D871E84) 11241100x8000000000000000303727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.439{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\SiteSecurityServiceState.txt2021-09-21 07:22:51.976 23542300x8000000000000000303726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.423{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\SiteSecurityServiceState.txtMD5=115E4037391ACE4703EF789A01ED4E9B,SHA256=354AAC29FB7E55725F55B8CDD61D72053C67037CFF69A3EA34D57330CD000AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.423{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000303724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.423{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\AlternateServices.txt2021-09-21 07:22:51.960 23542300x8000000000000000303723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.423{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\AlternateServices.txtMD5=02135FF96CFFFF1A29EA27BA4CA0A800,SHA256=BCF9D5893919BA98266F59B0183DAA581AB220305DF1C83CA9DE11A54D2DCB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.423{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000303721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:26:04.408{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.10.182915763C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.408{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000303719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:26:04.408{5097E253-96BA-6149-5C2C-00000000FB01}7760\chrome.7760.9.102367010C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000303718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.386{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(000002E98D871E84) 10341000x8000000000000000303717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.386{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(000002E98D871E84) 10341000x8000000000000000303716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.386{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(000002E98D871E84) 10341000x8000000000000000303715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.386{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(000002E98D871E84) 10341000x8000000000000000303714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.386{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96F9-6149-692C-00000000FB01}5624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(000002E98D873E5F) 10341000x8000000000000000303713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.386{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(000002E98D873E5F) 23542300x8000000000000000303712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.386{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\sessionstore-backups\recovery.jsonlz4MD5=C96B30FA09AC3234EC681DBDBBBB2086,SHA256=88854DF5BF1F309B0ED810AD53C388A7AC09908CB2336741B157D7C6619FE8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.386{5097E253-96BA-6149-5C2C-00000000FB01}7760ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\sessionstore-backups\recovery.baklz4MD5=36F23FD2C92C0B8A6519F568BA5E5D3F,SHA256=16AC5961FB07D4C5D46A6C9C1ED12E0A61BD2F34368FAEC42D6273E895004681,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.386{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BC-6149-602C-00000000FB01}8076C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.386{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5E2C-00000000FB01}6600C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.339{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.339{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.323{5097E253-96BA-6149-5C2C-00000000FB01}77603376C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x8000000000000000303705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.239{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.239{5097E253-96BA-6149-5C2C-00000000FB01}77607944C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-96BB-6149-5D2C-00000000FB01}5892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.223{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7ced8|C:\Windows\System32\TwinUI.dll+764bd|C:\Windows\System32\TwinUI.dll+76093|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.223{5097E253-8792-6149-AA29-00000000FB01}48162508C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.223{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.223{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-96BA-6149-5C2C-00000000FB01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.223{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6007B055A934995E56B6E83D59AF4FC,SHA256=791E5917D9FD7DF5F5B1193E75D6638850A07027B10E3A01187795DB8D922D64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264569Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:02.649{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264571Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:05.570{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658AD1E229D08D9470964E9ED4D7DF2B,SHA256=53C1E7CCFABB248214A53A8D8730C8BA80185AE639D5795CAEE02294F6A1092E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:05.758{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CCD338E9A6E61B3739E4FB3E33B1072,SHA256=EA93C22B457B03586EF57FC3525438A01ADA9C2E14747DE04AF31D5DB6354CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:05.758{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11D9619D3ACAE132A721A6A07B51196E,SHA256=C71ADA4397D3AB69E52572F84F9C99A787A57E86969936F0144E47F18B01BE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:05.243{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C24D3CD24468B733DA5F1B11234AC0,SHA256=E731A58F80DEA99765DB983A98073151225B25820B38E1D73B26FA1BCD9FF9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:05.133{5097E253-971C-6149-722C-00000000FB01}7100ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\saved-telemetry-pings\6905d3e3-8664-4969-88ff-cd2c72161a31MD5=08E5E5BAA604B8EE7C4E5D8DC3719AB4,SHA256=8164B3B26F2494DD5469289A2CCD7991183E74AA3E939D78B569EDC8E7F4B98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264572Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:06.585{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CDE47E1309557E5C6B176CF0F995E7,SHA256=F8D7363401135AB6A49DFD80D5909E176B0CD17E0BA95AEBADEA47A73B199FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:06.243{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F0B997DBB370A04D8DDF6C7961E426,SHA256=8A13F8B897C8737B07828E8EB55112FCBB16D4A5D412B4B3DDBA742BD0632B60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:03.549{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61102-false10.0.1.12-8000- 23542300x8000000000000000264573Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:07.601{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B80E0217C2CFFD7912BC7A248AE5E18,SHA256=0B45B2AF185841BCC96D1293652793E8BFBD34CBC1C2F804530156CE35A73E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:07.258{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456A72174239FD50C0151680C67A805B,SHA256=23FDCE82022C6A0A5D73FFC986688419D35F5887388B26711F0A103AD8454AFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:04.001{00000000-0000-0000-0000-000000000000}7100<unknown process>-tcptruefalse10.0.1.14win-dc-966.attackrange.local61103-false35.244.247.133133.247.244.35.bc.googleusercontent.com443https 23542300x8000000000000000264574Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:08.617{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BE088854E0B11E74E91A31751C7DD9,SHA256=5650A5E13991B65A873E8D85C986E1343198096333831E712683F677C69AD633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:08.465{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1392MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:08.259{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877EF82E65F4B2B5D1537744B9725BD6,SHA256=8CEC1AA0988AFD9A76E39B8562051F61BEE5DEED40E417251C8FB3370083A07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264575Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:09.632{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8380D18286D250787D6255D69A5900,SHA256=C8C55375CFCB40AA33183188D18A1214079D5CF37C53648B48AA7A76198388B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:09.479{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1393MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:09.275{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52B80AA963282B7A5B82620019F2BDE,SHA256=6D6DFD54290E7A855DAF105A0C6D733322FF54677EFCB923FEEC6FFE07AD31C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264577Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:10.648{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226A9C72F91954C63CF867F3F07A0AA2,SHA256=8B335AB19A6C41FB3B51FAACE0827EEB0BD0F5BEC4D2668BF5C6BF94D10254FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:10.292{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A886CCCC1B2D9845A458781182EA024,SHA256=1F9F4041D5AF70A9CB7C1CBA3183EE5B7905F283E1B9F5C0DC34402BB9EEA546,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264576Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:08.631{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264578Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:11.664{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B6BCB7B7ED24919D9C8F886361B5DF,SHA256=130847D295339C1E49865D49AE86B0D90CFD8655EEDE3B1AEAD1A388FDB5F8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:11.307{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533AC886DE8219CD8B8A853BBF4D0E61,SHA256=AF2CB535C960246478F1A2AEA99724764D952701481E7E841E428A0037440661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264579Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:12.742{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B550860E4A789AD6DFC1439674D06CD7,SHA256=3AF365A66049EE959266E447DF4AB282E44C2C6FE9ACE149546DE6956DB4AB66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:09.429{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61105-false10.0.1.12-8000- 23542300x8000000000000000303780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:12.308{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EBA4AE068C1BD1D4B7550F5241EC34,SHA256=A3000CF026C53599628F8F7E2E661A02F71F1B5BC7E8CE77AEAB6F05EF61DDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264580Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:13.789{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC492B796A86B9D27E4BFE127BCD55C,SHA256=91AE84243F1F905F7BC114BBE49BF1E0268295C69B2F284DF84C29E0368B1A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:13.339{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38229D58575144A815E6F3B10C04231,SHA256=BCAF24F8B7D6F367737E2499AC3528434470CF95532E0FB011A9A2840AE51E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264584Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:14.851{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1003DC80AF40298D643245786604CA7F,SHA256=14B2C8209BBA78860A1B9F701515F60EF84235AC35943279AC23987597837875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:14.354{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0CBC4760BBE8EF6E21F2841E36DC49,SHA256=ED140EA7FF2CCF7FFDACB045B188E12669CAFAA470B159B4293E59F138E01F73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264583Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:12.216{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-59731-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000264582Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:14.601{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=972DBEBFF20A8D8F9E5F4229902BA7B0,SHA256=E3101F037E9F0CF65757D734E41CE306EEEC4B0E20AEEA63CAD5AC7D0884E293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264581Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:14.601{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB4EC8D96B91C16717A1E907DDD11D27,SHA256=884D2DFEFF53B0DC2286E00257E89C63F9378715E6FB1A479C5F466502362309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264586Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:15.913{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D0BE12C94C3F99423138275CEA91C9,SHA256=A432AECABA902F69E27EEEDE45D4B9D73212CB0D0ECF3F327CA3FEFEF92BF3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:15.370{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BA661142B33381918D6DC09AE2C849,SHA256=EB4B88A15F386067CD83098911AAAA798DC3436E171C7C736BCB5102842FFDDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264585Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:15.619{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1384MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264589Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:16.974{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D989265BC3C1FD6E549DD54FAD171D,SHA256=787668CC80E7BDD7488241BD9C141CC5442B3638287F70C937004BAFE02D38F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:16.386{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF140DB48E16944E8CCC63270B5CA10,SHA256=2D30CB22BCBAB3E0231A3D61EC8DE1B40D656F993A5D87B01634119DF0BE57BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264588Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:14.584{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264587Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:16.633{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1385MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:17.386{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7181ABBD214CAD7754C9C2D576765B94,SHA256=65F9C20B498DEE45AF488BA191C194B47483DCEAC0A176EFEBA566CDE0ED43EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:14.492{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61107-false10.0.1.12-8000- 23542300x8000000000000000303788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:18.386{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2350B65D6A6EE4174143B055F7522663,SHA256=1E0E930431FADF5724361ECDD1D2CD310660B42FDBD085E58E04FC7D46D9BEA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264590Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:18.008{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF95744286FBA35650A045EA50DE511E,SHA256=4FDECB7420C16BC794C94536494D6443D290EBFB23597DB3D58F34B9E5768A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:19.401{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AE16587F8E6C5911684DCA3B5E28D4,SHA256=40A543542E3186CE96FE1BE035DCD0A41C60102BBB2F657AC3B6A73753AAB052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264591Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:19.023{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4F9DC86442D241C1E70FF5F2EF9190,SHA256=86EB015F2E0F00F79A70D073418CB6C4E30F1F44815F4054266B8897A17A5C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:20.433{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776DD883EDA5166ACC05425413B299C3,SHA256=C607905E49AB1F9FED3E5D6A4AB10129EAB9D95A65D7F2538032E337BFE6194C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264620Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.914{C189DCE5-972C-6149-C727-00000000FC01}3736428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264619Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-972C-6149-C727-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264618Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264617Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264616Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264615Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264614Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264613Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264612Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264611Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264610Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264609Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-972C-6149-C727-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264608Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.789{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-972C-6149-C727-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264607Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.790{C189DCE5-972C-6149-C727-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000264606Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.305{C189DCE5-972C-6149-C627-00000000FC01}24803656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264605Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-972C-6149-C627-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264604Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264603Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264602Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264601Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264600Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264599Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264598Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264597Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264596Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264595Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-972C-6149-C627-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264594Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.164{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-972C-6149-C627-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264593Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.165{C189DCE5-972C-6149-C627-00000000FC01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264592Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:20.070{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006ACC8780F93B7D79CCF92F4BE0AFD8,SHA256=E2257F3ECB945FC12912EBC842C9FBD79F1E00491948F105502409CDB342DF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:21.448{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E128ED75E8E35BBCBA17B1BF1065ECEB,SHA256=911AB1B93ACB9A8C3DCCB1F799BD4B912496B74D1D55782ABFD0EFEEE61C424A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264650Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:19.646{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000264649Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-972D-6149-C927-00000000FC01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264648Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264647Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264646Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264645Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264644Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264643Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264642Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264641Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264640Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264639Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-972D-6149-C927-00000000FC01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264638Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.976{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-972D-6149-C927-00000000FC01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264637Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.977{C189DCE5-972D-6149-C927-00000000FC01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000264636Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-972D-6149-C827-00000000FC01}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264635Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264634Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264633Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264632Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264631Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264630Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264629Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264628Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-972D-6149-C827-00000000FC01}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264627Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264626Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-972D-6149-C827-00000000FC01}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264625Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264624Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.307{C189DCE5-972D-6149-C827-00000000FC01}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264623Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03772C4EB5210664FA820172417FBE00,SHA256=5E1244C2241F47ABC89866CCD10FFEBCE1D7309778D606FB85DCF83DF5BDC312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264622Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6418D6766CF93A27DF8F21F245FD066,SHA256=DFA633B86572622C519DBE15391A0CF1AD9A5804AEF664027740DD937898448E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264621Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:21.305{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=972DBEBFF20A8D8F9E5F4229902BA7B0,SHA256=E3101F037E9F0CF65757D734E41CE306EEEC4B0E20AEEA63CAD5AC7D0884E293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.823{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:22.479{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F8455169990448B4CADEC27B3EED88,SHA256=8811FD49F7BA34F339F68FBE7724D945B8C3DAA74082712966CE0219BF4ACEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264652Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:22.476{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D04A53B357F586153DF8997833D443,SHA256=13A0769FD9275F51DE3EE7D3020FE76B7DADAC70BD620541335E964BC87A78EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:20.461{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61109-false10.0.1.12-8000- 13241300x8000000000000000303792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:26:22.026{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aec2-0x5bf32302) 23542300x8000000000000000264651Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:22.367{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03772C4EB5210664FA820172417FBE00,SHA256=5E1244C2241F47ABC89866CCD10FFEBCE1D7309778D606FB85DCF83DF5BDC312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:23.682{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4893CE58ED125240BA688BF01149538B,SHA256=90344FC1A8E686B83AA3A8D29D0FDF1C02D86829A701AE7B52B3EE5DFF6C5916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264653Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:23.477{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9B10432C471E35A4562436520B3135,SHA256=69DA8CE1B0D143050798E3307D5ABC5E29BCA34A3A052EB0B7D8B52F96E8F0D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:23.323{5097E253-96B5-6149-512C-00000000FB01}78487272C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-972F-6149-742C-00000000FB01}6340C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+127e839|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+127e783|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3111190|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+10548eb|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+27b52b4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+292bb64|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8fc0d7|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8f9dff|C:\Program Files\Google\Chrome\Application\chrome.exe+a92e0 10341000x8000000000000000303841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:23.307{5097E253-972F-6149-742C-00000000FB01}63407460C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+7605ac|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+75f530|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+292b4af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8fc0d7|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8f9dff|C:\Program Files\Google\Chrome\Application\chrome.exe+a92e0|C:\Program Files\Google\Chrome\Application\chrome.exe+a8e97|C:\Program Files\Google\Chrome\Application\chrome.exe+10f8e2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:23.276{5097E253-96B5-6149-522C-00000000FB01}71446816C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-972F-6149-742C-00000000FB01}6340C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000303839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:26:23.276{5097E253-972F-6149-742C-00000000FB01}6340\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000303838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:26:23.276{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.18206426487570892635C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000303837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:26:23.276{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.18206426487570892635C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000303836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:23.276{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-972F-6149-742C-00000000FB01}6340C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:23.276{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-972F-6149-742C-00000000FB01}6340C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+90fd6|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+906fa|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29ce45c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:23.276{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-972F-6149-742C-00000000FB01}6340C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000303833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:26:23.276{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.5283525490450500819C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000303832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:26:23.276{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.5283525490450500819C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000303844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:24.687{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487E8CBF7E74B999A08174B4726D565F,SHA256=CCE3B3A2795418C5CB063A9EC5D0933CCF038289266BBF5C6C9BD58A2DC259FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264668Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.509{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC367D3CB8539A1CA3CD246142B2CCA,SHA256=55B08B2B936291305A1D246EE88858F45C72A77916E857823ED8B9FF4B6E1327,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264667Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.494{C189DCE5-9730-6149-CA27-00000000FC01}34083384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264666Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9730-6149-CA27-00000000FC01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264665Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264664Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264663Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264662Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264661Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264660Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264659Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264658Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264657Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264656Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9730-6149-CA27-00000000FC01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264655Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.353{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9730-6149-CA27-00000000FC01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264654Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:24.354{C189DCE5-9730-6149-CA27-00000000FC01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000303848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:26:25.734{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000303847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:26:25.734{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Config SourceDWORD (0x00000001) 13241300x8000000000000000303846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:26:25.734{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_613C4DCD-0611-4E95-B870-A6B03FE07762.XML 23542300x8000000000000000303845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:25.703{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEAFEAF9642B96ED2123D6FC0B6B9E8,SHA256=661F0FBC70E43706F7B4C020F71F279863D9BD65A9EF540D57E36AF3A2586BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264684Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FC23B31D7146D91009E8384E977F03,SHA256=D1255AB6DDB0237909A1BA21C8471BC1E3AAC55E079C50C69D0F9DEF8B273227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264683Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.400{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DEF2E9EFFA214AB6A2F3B2D182AFA20,SHA256=420B9C2B721CABE1637EB8B25698E6C122E17E621EAE2BF2598B7487A0EFCC70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264682Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.166{C189DCE5-9731-6149-CB27-00000000FC01}35042860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264681Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9731-6149-CB27-00000000FC01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264680Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264679Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264678Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264677Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264676Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264675Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264674Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264673Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264672Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264671Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9731-6149-CB27-00000000FC01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264670Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.025{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9731-6149-CB27-00000000FC01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264669Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.026{C189DCE5-9731-6149-CB27-00000000FC01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000303855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:25.065{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local61113-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000303854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:25.065{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local61113-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000303853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:25.059{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local61112-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000303852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:25.059{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local61112-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000303851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:25.045{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local61111-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000303850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:25.045{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local61111-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 23542300x8000000000000000303849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:26.734{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5213B3FD32E66CAEE8E38995F59E28,SHA256=38E4ADB2EA15527219A905B3D0AFCC2C104C9DEA448AFB41BA434718CBF9BAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264698Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A543B64C6D63E74ED4298EBF0C9D9341,SHA256=05029A31B352460428CC3796B1D071796A8D3CDA956BE38798A569D52C2F080D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264697Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9732-6149-CC27-00000000FC01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264696Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264695Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264694Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264693Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264692Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264691Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264690Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264689Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264688Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264687Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9732-6149-CC27-00000000FC01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264686Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.228{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9732-6149-CC27-00000000FC01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264685Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:26.229{C189DCE5-9732-6149-CC27-00000000FC01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:27.750{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5203B33FD043B26482DFCDE32634F31A,SHA256=79602DA0C16F443B04A8E5D05CAAC16D1ADB5B3C4E7B6C3F048D9EEBAD30A67D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264700Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:27.572{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52828B7F2D4BC8522F2E13826BE36F5A,SHA256=386B4BB3898DBB012C6A14F74D1E2BCEDCF4F0E61AC60BCA7048B78B4D6FAC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264699Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:27.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13DC51FE29AC0A683BC8B9207B91A418,SHA256=5A0C834FFD785E62A022DF18DF27770AEF64FCCE7CFA3026D564DC726CDECA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:28.750{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F261C53780BB6078A77F265D898BBA06,SHA256=DA1B50B75606DB57ACD872F7DC322DCD322CA17602806C679FF202BE3BA5539D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264701Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:28.572{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36C6EA19B2D8B6A2E72BB9BCAFCFDD4,SHA256=BD556BA3FB662D657C08E1FFC356C7521A84C8296455DD964138B47A6D197EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:28.734{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=12C9D01E7A964D7C01B07FE0F30DEE1F,SHA256=F4D06E7ED94CB20BE3320C3487C3822CB688C9EB7B862C368CADD9AAADBCF01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:29.765{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C99ED12A37365C3BB7FCF0BFD884F7A,SHA256=FCCBA88A5EC8122D5A5A7C786EB3DCD8B821E431E32F1BAD4F93027CF323883F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264703Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:29.588{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B57D41F19E2E1A52F1281BFEA37ADB,SHA256=092DB72FB27401DAA4CB3386EFECBFD359A4DC454AEA44F22F48F42CDD213DAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:26.387{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61114-false10.0.1.12-8000- 354300x8000000000000000264702Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:25.539{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000303861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:30.781{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CDF1B98E0596B0942ECD71FA075790,SHA256=38BC4C9063F3E0A8F02C82DAD7262B84F674AB5B49A9AA5FD6F16561E46A52F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264704Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:30.619{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BFD433DB55C9EF6954D13802669160,SHA256=8663B3BC34A38B96FDB20685D834C18E1DC2B5FE0BE7AD6BDC42E46025A8BFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:31.781{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730CC1B057DDCFDE605FCD0CB67E5753,SHA256=826CEA41E1870495627851FF33F145474570331EF06EEBB2955C9303AF48E901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264705Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:31.634{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43515FE89A219F8B8A231156FA954BE,SHA256=40D8366D995BC4AFB861A180D4A53EE1843AF2B3B1D7133AC3996BB8156F3FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:32.797{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225939EF19357F0326290A14C1F54542,SHA256=7C3E705D3779B149B2C2308BFCDC4F24D85A1D3ECE36965C5267E6BDD727716A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264707Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:32.666{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF9612209F49AE755788EF68FCFAF6E,SHA256=4E62E2ACD24B069B7944C961371B1A2ADC5EDAF300194A98F967B1E62C7AA07E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264706Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:30.633{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000303865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:31.434{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61116-false10.0.1.12-8000- 23542300x8000000000000000303864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:33.812{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA88CF7414408AE1A5A3F166FF1F0B2,SHA256=363DA8DD68D0B4CE8FC1575900E77F1B511CCFA897F7649691A8FAF7580B6162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264708Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:33.713{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA942F6DE07FC277A393D63B336B061,SHA256=226316BC033195B39FF7D7BC39A8D575E22BFE8E1F29B38D9CE3EE085FDEBBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:34.844{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825D260C0E26BF79F0F866F22BDEF23E,SHA256=71B18F31E1B203B1C0100E80ED368780CC7D51562CE08355AE636E2C3B4D3B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264709Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:34.713{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECF0D26798D8D2E5E8E45DBC37805F4,SHA256=AC39F62447DFB5163FF896779CE323CE53AAB2C8A1260E0793C4C5F421BB45C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:35.859{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BFF53758AC4877A6B1136101420B1E,SHA256=B1A14B91F112DFAC9DEC077C947C4D1D7AD8D4A77FED5BBF75DC6255C16F28A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264710Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:35.728{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51F568C720F537F6D6AF75D03BD44CB,SHA256=7957C226C631BEAF5F60C57D8FE621DF96E5DF8F25794674C1BF93003541A625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:36.859{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89FC626E446D2727A1B3F7217D8D30D,SHA256=3709E97CECD90DED17F132AFE4C4A5B07447761BC463E5B24C4AAF4DCE7A86FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264712Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:36.744{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFB0BD73F2BAF45265568AA43CBC721,SHA256=AA8931970B68401B303FB4352C10D9503CCECC5D8A9F6CF41EE9FC75DE27FCCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:36.828{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264711Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:36.728{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:37.875{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6F3DC4485AC76E007C6B6F0266DE96,SHA256=4DA0BF1CDFD709BD1763BACFA895A8437D827B09F8197EAA24A4FF7F8BED6965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264713Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:37.759{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FD8B82F577C827090D2447B23E95E3,SHA256=BD1A68B83C84BC4A94DB9D35865BC268022B1717593583E49769A75E3CA695AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:38.875{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B47A958D7F2328A92F42DDCA3624E9A,SHA256=ADCE176E03555AFCA76A3F083957B321EAF8B69048392617A894E3AFCEA5DE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264716Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:38.759{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6751C93233AF7C7261651E47D1B93072,SHA256=71A74327B6CAC1694BD43E1D56C0B7B6A7B6BEC4380AADA76DDA170D7F5D8DB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:36.122{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61117-false10.0.1.12-8089- 354300x8000000000000000264715Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:36.508{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000264714Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:36.180{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000303875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:39.890{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1963C786C7574847052BEE4D8CEF4D4A,SHA256=CDF5FB5FB1B08E5B85A3EB4BAC524B63206A6BC418C3EE058C7650CAE7079C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264717Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:39.791{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E12F3BBD7257D9CF30968364FAEDA80,SHA256=F302F83827ED8297F0AD94911F982AE3A0ACA41379D3626C2AA3CF694D8FD52B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:37.465{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61119-false10.0.1.12-8000- 354300x8000000000000000303873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:37.137{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-58413-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000303876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:40.906{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F6EC6F417FC8C3675403BA6429361A,SHA256=1E75323D9DD8AC29D16575629EE43EE9EC8136049187DCFD83D541CD9B647EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264718Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:40.838{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EB321E526F0C96E774758F16703547,SHA256=B4F722CECE8448945120C7A861F64852007DFD564D6B8FE9C5BCFE395AF0B483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.937{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728C227450908AEA59EB9BA64DA70319,SHA256=9C949A3265B32CBFC8CC423C22723F9C50A995359CD9952838EB15311D4D4F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264719Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:41.884{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C003526A2C57D99B00535B10303CAE1,SHA256=1F0379640DE8D9ABBD998233B638EBF6B08CA1CDD20F8A1046E80E2F53CC3217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.594{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9741-6149-752C-00000000FB01}1772C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.594{5097E253-8815-6149-F229-00000000FB01}48445372C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{5097E253-9741-6149-752C-00000000FB01}1772C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x8000000000000000303887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:26:41.594{5097E253-9741-6149-752C-00000000FB01}1772\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x8000000000000000303886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.594{5097E253-8815-6149-F229-00000000FB01}48445372C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{5097E253-9741-6149-752C-00000000FB01}1772C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x8000000000000000303885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:26:41.594{5097E253-9741-6149-752C-00000000FB01}1772\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x8000000000000000303884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.531{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9741-6149-752C-00000000FB01}1772C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.531{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9741-6149-752C-00000000FB01}1772C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:41.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:42.953{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AF32F161A745767002FE6C50C582F5,SHA256=9E443802C1C15ED7FC527697F4C9D392437BA92899F2773D20977A081FEAECA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264720Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:42.900{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847B247B9E54544C383C551A31DA6BF6,SHA256=D9C2C2A1549B26F68BC436BE8004A869B2373390BBBF12F926739AE058EC7C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264722Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:43.916{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328EE1E210AEE64297AF59C2B5D3B7E0,SHA256=27789E938A23D135A025B69F531800B0C6B2666F61E058CBDFFB4FF441BD1CEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264721Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:41.695{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264723Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:44.957{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4CC939D93F16C31B4E0E6848EF6E6C,SHA256=F243A19E9392718ED78DB2F02B636F71FAF8E7F37E17A68D46E2535E20B230DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:44.015{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8DD697C585DA994092AFE777972032,SHA256=2E06951C1AD39EC3189C276A52E7FC083268F1543D20367926128D72B9FED757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264724Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:45.988{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971AA617085FEBB8A5F50F76D9E62436,SHA256=2FC6B78FA36EEA8A9239DA069FD2F4C98094C7DB475ADE69C334058B42DF3EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:45.035{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABEBBAE2D98DBF496168E80F6B4484AD,SHA256=B906C29707FB0E2AC8AD10B64F047F3D7E2A26B8DB05BED40A2BDDD91E12557F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:43.376{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61121-false10.0.1.12-8000- 23542300x8000000000000000303894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:46.051{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB47358E123C2A2927D3A08321B6FE0,SHA256=9BA3A87A4BC779BB8E8992FE7DE664BAEE33DA95AA13B545A122B621ED1275A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:47.082{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28C80905727D5C266FDC4BDDB9604F9,SHA256=7286EBE673378CFC3BC5007ED96B5C1FBB570A48660B0A7804854B9828727E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264725Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:47.020{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5014A581CA235C9B9914B160A6EB70ED,SHA256=7F283C12E75E4B62BD3BBA68CEEEF494B7AEE63D1732B89944EE6BE039EE7AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:48.332{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51cd3ef.TMPMD5=116A3297EE846B428AB23018316A473C,SHA256=842B114F596E804AA798EC3B07323D6D57F0E1E013D0CBE92EC4F676AC26553F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:48.082{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C398D5191725F906153CEB4DF67420,SHA256=71830BA96DC2F740ADF7DD38EDA054A9E27C317012661B80984A2015B227BF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264726Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:48.051{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0EE4BCE3A227163E18777B70DA2CCD,SHA256=36090E90ED0BA805382DF434487836ECF1E023D505BBFD7BF158B3826B258CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:49.097{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337CFB2F6142F6AD4310D7CBB1E0F0DD,SHA256=94BC3D23216027371C0603EC5CB0F80AE97E1A5C63C1B65227DFB4C73FE673F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264728Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:47.627{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264727Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:49.082{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3830C404CB085B47BDE2488421411A5E,SHA256=12BD2763ADA46B357006520B51C1E23F0729A4B33DAB7B37307B8842A80781C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:50.144{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C867EC130B3176401E39B458F88D2FC3,SHA256=A1D5EE6B7D5077F343F94977CE604542FF7868C20442BFE858A987EC83213BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264729Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:50.098{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376529CF34076F9C0E17F84EAD92F94E,SHA256=7EDF59E7BE31C372BF88B79485FD66D9599541857C89954FDF60590100A4CCFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000303903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:51.441{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\Screens\5.png2021-09-21 08:26:51.441 23542300x8000000000000000303902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:51.191{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A99B9C97F65E24A71CC6CEEE346FB69,SHA256=ED2B46975E6C63775E738AAAB2019E991264877B59BE504428225CE2801BB947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264730Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:51.113{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F691258019A1E5BBBCEC16F38D9B0FA,SHA256=A6970C7DEB137E2DA6B01719973B6977BC3688B56491B0B46CAA2EB41882016F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:48.563{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61122-false10.0.1.12-8000- 10341000x8000000000000000303916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.644{5097E253-974C-6149-762C-00000000FB01}32206744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.488{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-974C-6149-762C-00000000FB01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.488{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.488{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.488{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.488{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.488{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-974C-6149-762C-00000000FB01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.488{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-974C-6149-762C-00000000FB01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.489{5097E253-974C-6149-762C-00000000FB01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000303907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.441{5097E253-483C-6148-0D00-00000000FB01}9045916C:\Windows\system32\svchost.exe{5097E253-95E3-6149-2A2C-00000000FB01}6496C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.441{5097E253-483C-6148-0D00-00000000FB01}9045916C:\Windows\system32\svchost.exe{5097E253-95E3-6149-2A2C-00000000FB01}6496C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000303905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:26:52.426{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aec2-0x6e11b3bd) 23542300x8000000000000000303904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:52.191{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E5AE8529CEC00E9A37495F84FFF466,SHA256=3D23A1A856AB49F4CAAD8D62470C29304AD129C22160889C79566BF635AA080F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264731Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:52.129{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6DCDFBF5C379010C05E044028D0180,SHA256=5B2A1A411E3255E712113BD04216C4968C36E03539DA569E2953CDEFC1D241A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.832{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-974D-6149-782C-00000000FB01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.832{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.832{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.832{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.832{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.832{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-974D-6149-782C-00000000FB01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.832{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-974D-6149-782C-00000000FB01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.833{5097E253-974D-6149-782C-00000000FB01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.207{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E4DFE512D831CE0C34675FE8B9D858,SHA256=E6ACD721C219051E2A5CEFEBAAF6B6E97BF0371C16243D5E77322EE61483798E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264732Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:53.145{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E84081F5C04812BEE13E352195F2B52,SHA256=B2207405566A433236C998187DDEDA9DBEE87EDA0D79BC25276815B1BB4113F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.160{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-974D-6149-772C-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.160{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.160{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.160{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.160{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.160{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-974D-6149-772C-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.160{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-974D-6149-772C-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:53.161{5097E253-974D-6149-772C-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000303945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.519{5097E253-974E-6149-792C-00000000FB01}13646648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.332{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-974E-6149-792C-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.332{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.332{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.332{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.332{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.332{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-974E-6149-792C-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.332{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-974E-6149-792C-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.333{5097E253-974E-6149-792C-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.238{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B723DFA6AF24AB309D6EBE296B7BF7,SHA256=3D9AAAEB6D4B0A1FD649DF29D049F0BD419736ACFD6EC1016FACEFEB59877CCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264734Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:52.642{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264733Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:54.160{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2A1B914E28C55D7DB92C6C358A1D4E,SHA256=BF15D34C97EA60DC9C115BF3DA0D5FA094AD5D50AAEB2BEDDBE040D0BF2B0C7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:51.719{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-966.attackrange.local123ntpfalse20.101.57.9-123ntp 10341000x8000000000000000303934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.051{5097E253-974D-6149-782C-00000000FB01}74486440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.676{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-974F-6149-7B2C-00000000FB01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.676{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.676{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.676{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.676{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.676{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-974F-6149-7B2C-00000000FB01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.676{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-974F-6149-7B2C-00000000FB01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.676{5097E253-974F-6149-7B2C-00000000FB01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.254{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73276AC30536E97379153BAD9B68AC74,SHA256=3AE2B57F7CABD6738ED1BF3B32F982E60A39F16DCAC75170AB8AFA196BB2CDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264735Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:55.176{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927DB7D9B867BB280D4FD8FBBB341B1C,SHA256=7CAF35BDA7FBC7DDED2BFA8B4A17E62F98724690DD7BD02130480EF39A9BB4AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.176{5097E253-974F-6149-7A2C-00000000FB01}74006584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.004{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-974F-6149-7A2C-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.004{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.004{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.004{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.004{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.004{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-974F-6149-7A2C-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.004{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-974F-6149-7A2C-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:55.004{5097E253-974F-6149-7A2C-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:56.285{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F84CC4A55D85131264660F189542FD4,SHA256=7CE1608F4D4912A6DF08D1E05638226607ABF3110677E7BB9EFAA20308642F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264736Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:56.191{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5074AC4A77CF4F08562D6AAC94EF55BB,SHA256=CCA687B40D9752AF55E06B9853C100FBA1578D352786C8A7A65C2C94ECAB2FB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:57.879{5097E253-483C-6148-0D00-00000000FB01}9045916C:\Windows\system32\svchost.exe{5097E253-483C-6148-0C00-00000000FB01}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:57.301{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36C0782EBD4F93F708E593361051A57,SHA256=2CC309D446DBEA4859166B4D6A0B36DF1E9DE33F3488EEB68856F0CA67C9DF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264737Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:57.207{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C848E27806090268E58B4B30EA6895B3,SHA256=F0308E6DA8E0A9CA90742CFD452DFEB7494C001DC716F9287D4C4D5953C3BBA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:54.500{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61124-false10.0.1.12-8000- 23542300x8000000000000000303970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:58.301{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0391439B57065E3045518A099BCFC7,SHA256=2014C6B3F4BBCAF2027C4FC850634E6CDE4E5E5EE3629BC1F245EFEB85BEDD75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:56.032{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61126-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000303968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:56.032{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61126-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000264738Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:58.223{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67A85B5AD2DD74AA00802BB28A4BC04,SHA256=4B1B987D8158CAD87CFD8529A61B7E65C7B361527C42D61176900433296A7A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000303979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:59.660{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9753-6149-7C2C-00000000FB01}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:59.660{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:59.660{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:59.660{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:59.660{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:59.660{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9753-6149-7C2C-00000000FB01}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:59.660{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9753-6149-7C2C-00000000FB01}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000303972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:59.520{5097E253-9753-6149-7C2C-00000000FB01}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000303971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:26:59.332{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75580E811CBE63271C9FB5E6E28C42FA,SHA256=9D19A1EC8CD72CEDB054F2C2204331B6EBF560F52ED38A29E968CFE41856CE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264739Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:59.223{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B0DD87CEC1CF90B55AE99178DEDD50,SHA256=D358151AF460BCB9EAF473188A7FACF9977D74F78E0F18E9B888489A194CC998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:00.379{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65E4CBBCEF00CD67ACF27E55D1008D3,SHA256=8F2D6E3A817784ED90DC944B7F7255A442374CA5E9555E22458DB64ACF9FE24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264740Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:00.238{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2974479B0250DEF7F950ADCBA352B17,SHA256=1C98F5665BC384209FF6E45C89A5DCD2F51D9FCF2934B84D5590108BD0AA94AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:01.379{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9275CC9D5B962136CDEB872BF8F94092,SHA256=7CA97A51D0ECFDC60A1FD984E81B0B37B58C5920AB407B9ECB61139897B9BEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264742Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:01.238{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC16F64BDAC8021B49A8545D538AF877,SHA256=7F110A2B81025D1525362AA0457949D8739F04694475C839A8814650523FB131,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264741Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:26:58.596{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000303982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:02.410{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C87682137EE00FFB721B877174EC8E1,SHA256=349CFF325DAE54C1E2BD026991316267DFC0B42251411BD99D858B9A378A075B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264743Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:02.254{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E269CD84E11D94DFFF1B95C9F7FC14A,SHA256=EBB89202447E6DFA21AB6EDC2B656218358625211A2C8FF73ADE218EDFF2C0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:03.441{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B881999025719CE49669E49D6EA3BE,SHA256=B942A5D672D40D7446D4EED80C929373A64C5BFD5BFE5859F82334813DF15F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264745Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:03.363{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3CA6E7F2FF2E2A9B8BE6318EF005FF15,SHA256=9E5581C3C934E111B97AA42F42E24B6E560607BD34E5ADDC30921489ACCE3B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264744Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:03.270{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52ADB57084027D4AA61EB45F87D8D7E9,SHA256=C566AC83A637321D8A272CE42E0A03D461417B18DE929C0E21CAF9BA8444AC79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:00.501{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61127-false10.0.1.12-8000- 23542300x8000000000000000303985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:04.455{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498E9E0C6586D5A8BDD9D27D5D13001F,SHA256=A046D849C1DCC3950B515B54BE3FE0D927268A700E956F8F7A4B406BC682B017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264746Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:04.277{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015D48629389B12FA3161E647DECA8CA,SHA256=38546E64B91422489ACA6423ACB5269FBB53D7255658834C59C303EC529D152A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:05.471{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BDAC17F6A672C79AFD42FDA84B384D,SHA256=9CA7EE89836BABBBDE63751673896675F78E3CB75CFBC5292F55A2C17D85FA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264747Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:05.293{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5738D5E434E36BEADCAB6A4449EB30,SHA256=50EB0EB2436508723755A7DC37DF7721DBDFF1978D7FC8F0ABFA30C425E1D9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:06.486{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3D9782302ADE29FF64C576CE7C4E5B,SHA256=38884B44C7B528142C84169A9D8A096C6CC46CB0855C978A6DFCC0A1F77885CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264749Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:03.697{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264748Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:06.308{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3577668CD285CAF64D061B220A91974C,SHA256=9D13C846A06A05234BEFC4AB3FCE83C7EFDD6610A8750CBE52F9C38040EE21A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000303988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:07.502{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4881A2941624310ACE768BF1B745BE48,SHA256=2A7E4F341E4BBBF22A4FBD98312DDEE72AE7871F4D6297C721C8F74A08840FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264750Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:07.324{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A45DD5D1C7BADE7744E18764AE5DB97,SHA256=2EA1D77C403904B808DEEC9EAC88D1CB83CDD96B8B6BE964823A64D4F484E060,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.892{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.892{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-975C-6149-7E2C-00000000FB01}6464C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.892{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-975C-6149-7E2C-00000000FB01}6464C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.861{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-975C-6149-7F2C-00000000FB01}720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.861{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-975C-6149-7F2C-00000000FB01}720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.861{5097E253-975C-6149-7F2C-00000000FB01}7206476C:\Windows\system32\conhost.exe{5097E253-975C-6149-7E2C-00000000FB01}6464C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.846{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-975C-6149-7F2C-00000000FB01}720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.846{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.846{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.846{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.846{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.846{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-975C-6149-7E2C-00000000FB01}6464C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.846{5097E253-975C-6149-7D2C-00000000FB01}72045992C:\Program Files\Mozilla Firefox\default-browser-agent.exe{5097E253-975C-6149-7E2C-00000000FB01}6464C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\default-browser-agent.exe+39f65|C:\Program Files\Mozilla Firefox\default-browser-agent.exe+3c30e|C:\Program Files\Mozilla Firefox\default-browser-agent.exe+57ce8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.853{5097E253-975C-6149-7E2C-00000000FB01}6464C:\Program Files\Mozilla Firefox\pingsender.exe92.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/default-browser-agent/default-browser/1/B003FE53-9A09-4CF8-8841-BAD5546C5369 "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Pending Pings\B003FE53-9A09-4CF8-8841-BAD5546C5369"C:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=8A5233CE7A88489D05FEF9BB7AE52572,SHA256=0888DF51AA62CAF8E02C97564FF4BDCEDCF8CC0B6091753F7D9D4389689BA825,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{5097E253-975C-6149-7D2C-00000000FB01}7204C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB" 10341000x8000000000000000304006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.814{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-975C-6149-7D2C-00000000FB01}7204C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.814{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-975C-6149-7D2C-00000000FB01}7204C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.814{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-975C-6149-7D2C-00000000FB01}7204C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000304003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.799{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7379D269360A10434734C0C10B9C035F,SHA256=AD14E686DB886132754A71851C168C21FB9535B2C661913C673F885C7BF2A00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.783{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A2934DDF924473612C38509F6D35923A,SHA256=228F7E3C58DE66B90949A8FD6F269E75372FEEF6AB23623849142CA0CAF57EC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.767{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.767{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-975C-6149-7D2C-00000000FB01}7204C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.767{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-975C-6149-7D2C-00000000FB01}7204C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.736{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-975C-6149-7D2C-00000000FB01}7204C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.736{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.736{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.736{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.736{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.736{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-975C-6149-7D2C-00000000FB01}7204C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000303992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.736{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-975C-6149-7D2C-00000000FB01}7204C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.721{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000303990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.502{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3F91B9E2385A561F0F4F19C34C8D15,SHA256=A28BD3235511030BC0B339D65B93117564E5CE7BCCAE6DCB12612B77C473F407,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000303989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:05.546{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61129-false10.0.1.12-8000- 23542300x8000000000000000264751Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:08.340{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3078BBB0770C823B253B8F493509DB69,SHA256=EB07C742E5CBBFEE2C71C1A63CC01D139D560AE0BF94954FAA073C041E0E8D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:09.941{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7ADD9E432132BF1143F786020DA405,SHA256=1DE9B68279D8D9E1CF28C2D9610F861EFCD93A7BD04ED3382C4EC47241A40D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264752Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:09.340{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAB25FAFF22423DB239EE6B981F485C,SHA256=3695F8ACD9369FB25BA00EC454B4FC7DED3298A7A44209FFAAA25DE099FD8FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:09.127{5097E253-975C-6149-7E2C-00000000FB01}6464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Pending Pings\B003FE53-9A09-4CF8-8841-BAD5546C5369MD5=C293188433C64245E18F9F731BF84600,SHA256=127709B0DE57516104337CC35758440376958E21EAE9167E8B7771E2BED71844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:10.951{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B036DA02CF68CCB3D12E0DDF1E11A4,SHA256=F9E7BA60828664A3B38F46F13FCF3B786D0CC6933A2DE0A0D6D84A3001379CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264753Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:10.355{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7DE253AE5F819B48330F71ABC8E075,SHA256=642567A10820438207EC01544B72C33F54EDA019C45910AA5BABF0B866762E26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.223{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59929- 354300x8000000000000000304025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.103{00000000-0000-0000-0000-000000000000}7204<unknown process>-tcptruefalse10.0.1.14win-dc-966.attackrange.local61131-false13.224.193.78server-13-224-193-78.fra2.r.cloudfront.net443https 354300x8000000000000000304024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.099{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50128- 23542300x8000000000000000304023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:10.007{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1393MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:11.953{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D6678D25E09D82A113F88507353F9E,SHA256=3235810D56FD47846353C53061843D489FD5CD4E45CD5D31E39491FE3D756DB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264755Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:08.697{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264754Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:11.480{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80070119A77C198A179DEEAE737A07CD,SHA256=03B54CBA0E6AA2911E8BFC623072F554F13EA93ECFAC05D9FD3B2B76E8A05F44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:08.228{00000000-0000-0000-0000-000000000000}6464<unknown process>-tcptruefalse10.0.1.14win-dc-966.attackrange.local61132-false35.244.247.133133.247.244.35.bc.googleusercontent.com443https 23542300x8000000000000000304028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:11.015{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1394MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:12.984{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB85FBE77F3853915B42D5BE872BD83,SHA256=55E05E8B4C03E5F264094B5158030107D9BFF6640E5F2EDC6215F97B7EA64BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264756Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:12.512{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBBBBCC0AC780D483F55EF75A623344,SHA256=3B5C0A21F5B553216DA6B69389D8C854631E0DF946B9529F276F59DFA70764A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:13.984{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95727524FCD3849424587DB417CF874,SHA256=0FC7A1AA0F39B867C75315821384D2871D48725DC47299128B1FEAFB16E88C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264757Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:13.512{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA75ACF87D7633E03B5B8147711E20F,SHA256=2F6BD817B5F36EA42C7FD5BBF5FF91062B5E7A33DDA916F72EA489F42C63C39A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:11.481{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61133-false10.0.1.12-8000- 23542300x8000000000000000264758Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:14.543{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C8D6F271D8152EF0BE19923C589D23,SHA256=AA1315565602BFE868EFCC44D6A9E392B2C9DD64D486C60D00656D41F2147646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264759Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:15.558{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B3562649FF646846DEB0E97C899173,SHA256=C72BCE81C130C0AD6D0AF18C4A71C346D8A583CA06F5A895FEB5F32154CCC94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:15.000{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFA46589086DD50B33D898D31BC05E9,SHA256=9F3CB6F064E24CDF31AFCD8AD0282E67C1AE4A6E60E334C734FAD62A7417E09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264761Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:16.574{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E5B48EC4AE242FBEF8BCB2C873AD64,SHA256=43B4AAB30EE679C86FBD00AA33994B4B775765472E3850DFA0743E7B45F887E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:16.031{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB26A3998A1AAD9387FFD6270745054B,SHA256=2B950265AA348313BFC48557A16CA10992B372A01F0FD3209E024F5A1E398951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264760Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:14.650{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264763Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:17.622{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB0805B826C6B645B3D2FFF70FE747E,SHA256=BEF57872582A62ACEB5CE4F9E43C9AAF9088BA194CF5411FA1BAD37415D1E344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:17.031{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDCFD532B5231275A286E43471C8B072,SHA256=1E7CECED94F2AC8BED860C9F9D2FAD3F096787127C69F836EED9E787D833F2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264762Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:17.156{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1385MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264765Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:18.684{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728ACAA067D38918C968DC408C67DA96,SHA256=3A30206392237D07518B061C1229EB93C6FC49B6A4F75DDA693E8B508725CD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:18.062{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED495A7AE23E34F07B245D56D587DB9,SHA256=4D2E51BBE949D9FC6B93A6B78AC24127FA9391510DDE5DF2381D79031F98D3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264764Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:18.170{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1386MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:18.015{5097E253-483D-6148-1600-00000000FB01}12924108C:\Windows\system32\svchost.exe{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:18.015{5097E253-483D-6148-1600-00000000FB01}12924108C:\Windows\system32\svchost.exe{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000264766Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:19.700{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE46E74FD8B213AC88B654EFA95B5B15,SHA256=9C8D3389B01FDA21C193893AC9074522CC0B8C3EA5789DDB95D01DDB509B858F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:17.403{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local61135-false10.0.1.12-8000- 23542300x8000000000000000304040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:19.062{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97535AAE5C765DD0D03920117601BA16,SHA256=670A19479A948712CA266A073EE7E5B495F23A48DE3BF5A57671F10F31DE2BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:20.078{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776E6B6A614098545DABA19ACF44C5F2,SHA256=3639D2101A10F035182A2147B8BBE7E12531EE6F1E1257D1B3EC73072BF8F6F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264793Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9768-6149-CE27-00000000FC01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264792Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264791Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264790Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264789Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264788Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264787Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264786Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264785Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264784Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264783Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9768-6149-CE27-00000000FC01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264782Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.606{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9768-6149-CE27-00000000FC01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264781Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.607{C189DCE5-9768-6149-CE27-00000000FC01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000264780Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.372{C189DCE5-9768-6149-CD27-00000000FC01}9043220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264779Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9768-6149-CD27-00000000FC01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264778Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264777Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264776Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264775Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264774Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264773Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264772Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264771Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264770Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264769Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9768-6149-CD27-00000000FC01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264768Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.106{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9768-6149-CD27-00000000FC01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264767Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.107{C189DCE5-9768-6149-CD27-00000000FC01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:21.109{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BEA813DB1A9E5A97B72883C2D45DD7,SHA256=5101F7B09A53FA691A5D2F10FF496B43E708D6309F6A35E331632638D4C199FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264823Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.981{C189DCE5-9769-6149-D027-00000000FC01}3212800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264822Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9769-6149-D027-00000000FC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264821Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264820Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264819Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264818Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264817Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264816Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264815Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264814Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264813Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264812Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9769-6149-D027-00000000FC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264811Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.778{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9769-6149-D027-00000000FC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264810Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.779{C189DCE5-9769-6149-D027-00000000FC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264809Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.247{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=138055F8FC1FA94AE2F75BAE09B908CA,SHA256=D3E9723E2D989FB014E20A7872059393F594DE20E6F906935B27E48BF298A046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264808Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.247{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F13FE2D98D8FC1A40D79B9991998CE,SHA256=2DFF8F280D5E797C4A0570D916FB503BCDC66C72647B8C6DDFFF6F955543914F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264807Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.247{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2232D53F034D5E9F720860B9E840BB1D,SHA256=4F870FB9A4385823E3B9DA60FC5134212DB0374C502607DB84CBEC2523D6592C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264806Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9769-6149-CF27-00000000FC01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264805Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264804Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264803Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264802Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264801Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264800Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264799Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264798Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264797Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264796Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9769-6149-CF27-00000000FC01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264795Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.106{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9769-6149-CF27-00000000FC01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264794Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:21.107{C189DCE5-9769-6149-CF27-00000000FC01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264826Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:22.794{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=138055F8FC1FA94AE2F75BAE09B908CA,SHA256=D3E9723E2D989FB014E20A7872059393F594DE20E6F906935B27E48BF298A046,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264825Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:20.651{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264824Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:22.387{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713525EDAD3346FFC54FB438349B6F09,SHA256=27FC8442A93155E5BE2FE1DE9C9855B9642F566678F7364151DAD0BB7E9FED51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.109{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87B56D5CDA63F606DE5ED08C4CB11CB,SHA256=79BF69CC56231F8CA9AE7BDFA1A0FAC2544B82580A1D7634202807C504B40485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264827Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:23.419{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DF065796B7D3E22B13A321E1208481,SHA256=CBAF27703644F1E22C633BAC8E92694ECD5B51298D84C47A05F3C07460F3F917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.972{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40ED8EED0D81FA84665DEC80DC0E37D1,SHA256=DDB445BDEB87699E945871D89D302AC6705C54AD75E573B4970487D85D54D4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.847{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40ED8EED0D81FA84665DEC80DC0E37D1,SHA256=DDB445BDEB87699E945871D89D302AC6705C54AD75E573B4970487D85D54D4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.832{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF9CF87AAA6D43876C9214785F270F27,SHA256=81152622785F351E29481C044D9F15D7756D4AE4AF1D194EA623982196AB6CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.832{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E23D5D486F19963EEB729BB2FEA054,SHA256=01B7B6DE3EB813AB9E56523B0CB4049A2D61A53554521FE1B77595D9321E9702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.832{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_355194072\BIT5E5F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.785{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_355194072\BIT5E5F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.769{5097E253-483D-6148-1600-00000000FB01}12921484C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x8000000000000000304110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.754{5097E253-483D-6148-1000-00000000FB01}961500C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000304109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.738{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.738{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.738{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.738{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.722{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000304104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.722{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.722{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.722{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.722{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.722{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.707{5097E253-976B-6149-822C-00000000FB01}80728C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+7605ac|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+75f530|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+292b4af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8fc0d7|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8f9dff|C:\Program Files\Google\Chrome\Application\chrome.exe+a92e0|C:\Program Files\Google\Chrome\Application\chrome.exe+a8e97|C:\Program Files\Google\Chrome\Application\chrome.exe+10f8e2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.707{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.707{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.687{5097E253-483B-6148-0B00-00000000FB01}6327456C:\Windows\system32\lsass.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000304095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.671{5097E253-96B5-6149-522C-00000000FB01}71446816C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-976B-6149-822C-00000000FB01}8072C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:23.671{5097E253-976B-6149-822C-00000000FB01}8072\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.671{5097E253-483D-6148-1600-00000000FB01}12927676C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:23.671{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.17566391549524772930C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:27:23.671{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.17566391549524772930C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.655{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-976B-6149-822C-00000000FB01}8072C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.655{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-976B-6149-822C-00000000FB01}8072C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+90fd6|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+906fa|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29ce45c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.655{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-976B-6149-822C-00000000FB01}8072C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:23.655{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.5658510432403013508C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:27:23.655{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.5658510432403013508C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.655{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-976B-6149-812C-00000000FB01}6528C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.640{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000304071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:27:23.640{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITSa574e325-0a0f-479b-bcf0-95b33fe9bfb0 10341000x8000000000000000304070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.624{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.624{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.624{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.614{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-976B-6149-802C-00000000FB01}428C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.594{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-976B-6149-802C-00000000FB01}428C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.594{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-976B-6149-802C-00000000FB01}428C:\Program Files\Google\Chrome\Application\chrome.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.594{5097E253-976B-6149-802C-00000000FB01}4285440C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+7605ac|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+75f530|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+292b4af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8fc0d7|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8f9dff|C:\Program Files\Google\Chrome\Application\chrome.exe+a92e0|C:\Program Files\Google\Chrome\Application\chrome.exe+a8e97|C:\Program Files\Google\Chrome\Application\chrome.exe+10f8e2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.562{5097E253-96B5-6149-522C-00000000FB01}71446508C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-976B-6149-802C-00000000FB01}428C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:23.562{5097E253-976B-6149-802C-00000000FB01}428\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000304061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:23.547{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.12473758679290808349C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:27:23.547{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.12473758679290808349C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.547{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-976B-6149-802C-00000000FB01}428C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.547{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-976B-6149-802C-00000000FB01}428C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+90fd6|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+906fa|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29ce45c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.547{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-976B-6149-802C-00000000FB01}428C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000304056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.547{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Last BrowserMD5=DE9EF0C5BCC012A3A1131988DEE272D8,SHA256=3615498FBEF408A96BF30E01C318DAC2D5451B054998119080E7FAAC5995F590,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000304055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:23.547{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.17170520359059695698C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:27:23.547{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.17170520359059695698C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000304053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.547{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\History Provider CacheMD5=37192CC33E8EBE23D98022E09FA10157,SHA256=C54D88C67B3493C5082978A62F7995E814A80569FDECD5686BF72CF43D65CAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.547{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002MD5=22BF0E81636B1B45051B138F48B3D148,SHA256=E292F241DAAFC3DF90F3E2D339C61C6E2787A0D0739AAC764E1EA9BB8544EE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.547{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RF51d5d82.TMPMD5=206702161F94C5CD39FADD03F4014D98,SHA256=1005A525006F148C86EFCBFB36C6EAC091B311532448010F70F7DE9A68007167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.515{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61498816-19AC.pmaMD5=5371C921F2145972ED84BB496AB3005F,SHA256=F640FDB69044BF91358C7EFA8F4BC08F4F44E38BE856EC7688A3B568921E36F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.484{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txtMD5=B06693C054CCD37BB7067A436661C037,SHA256=DA12C5DB28B539062419677743772A6638F4829FB5F1A07F20C5F42404221166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.484{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pmaMD5=D998DB6BB78F1336FF0E927205CD5DCD,SHA256=32BCE0EC12F35821550B935F0F9D841C1DCB83E9316C804190D0AA26881E9D9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.484{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.484{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000304045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.125{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483BBC29688A2306D6E5DD6EE883FE81,SHA256=40C6F7793B86B568E0DBDBF5A6AF3769CF7FA8C07020083B1470B6335C934CAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264842Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.532{C189DCE5-976C-6149-D127-00000000FC01}20921748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000264841Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.439{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3AE65CC9C780F72FE87B2D4684E7EA,SHA256=6D7CC4457DF2FCC641793346C8D8C8654B5186DE06780A290BE207CAE99CDA74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.006{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60265-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local47001- 354300x8000000000000000304133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.006{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60265-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local47001- 354300x8000000000000000304132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.980{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local60264-false142.250.181.238fra16s56-in-f14.1e100.net443https 354300x8000000000000000304131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.977{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62740- 354300x8000000000000000304130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.884{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59291-false142.250.185.99fra16s49-in-f3.1e100.net443https 354300x8000000000000000304129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.884{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local53216-false142.250.185.99fra16s49-in-f3.1e100.net443https 354300x8000000000000000304128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.880{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64312- 354300x8000000000000000304127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.869{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudpfalsetrueff02:0:0:0:0:0:0:fb-5353-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local5353- 354300x8000000000000000304126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.868{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrueff02:0:0:0:0:0:0:fb-5353-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local5353- 354300x8000000000000000304125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.868{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local5353-trueff02:0:0:0:0:0:0:fb-5353- 354300x8000000000000000304124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.868{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudpfalsefalse224.0.0.251-5353-false10.0.1.14win-dc-966.attackrange.local5353- 354300x8000000000000000304123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.868{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse224.0.0.251-5353-false10.0.1.14win-dc-966.attackrange.local5353- 354300x8000000000000000304122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:22.868{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local5353-false224.0.0.251-5353- 23542300x8000000000000000304121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:24.663{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=94C712AFC67E2484BD309615CB96AC54,SHA256=4BE04B468879C9F64418B7FEDB4CCD3ECCB1C80C379834907441AE443B88689E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:24.663{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=516853E4E4A9AB629879A476A00A65E0,SHA256=5310D607941E978AC11577F5741D1D149D36EFC19164405A8F9D12372A6B283E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:24.491{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA2CFAACAB1288FFF016716E749EF95C,SHA256=AE036E76891527DC1E5248D4F2DE6EF1A67429D75784B7BB4035864894DBCD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:24.147{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E266B8C45243A5198795C722C7A1483B,SHA256=A1A95EA30213207B8CA37564E57E92BE0CD08E49A734EEEDE7552E600C85FF7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264840Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-976C-6149-D127-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264839Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264838Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264837Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264836Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264835Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-976C-6149-D127-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264834Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264833Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264832Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264831Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264830Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264829Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-976C-6149-D127-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264828Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:24.345{C189DCE5-976C-6149-D127-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264858Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.454{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4552836D954EDDA8C9D64A9D01F4C1C4,SHA256=560A145727063A44F3661592836E66DFE9B95235B247C912EA40417B8C51B06A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:25.679{5097E253-483C-6148-0D00-00000000FB01}9045916C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000304135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:25.194{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D793F269E670467285EAF3C42FE8342,SHA256=CDE4D9B6E46E97053DD214BE72DBF074ECB695D908FE1FFF0F01B855C8DFB43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264857Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.360{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4219B14AFC0490A6B84603453DE8B36,SHA256=D5EA85554AE9ABEC6E930B3710E27BE1A557B13B2261E4BE098E2C77FF79943B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264856Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.173{C189DCE5-976D-6149-D227-00000000FC01}368184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264855Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-976D-6149-D227-00000000FC01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264854Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264853Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264852Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264851Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264850Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264849Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264848Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264847Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264846Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264845Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-976D-6149-D227-00000000FC01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264844Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-976D-6149-D227-00000000FC01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264843Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.017{C189DCE5-976D-6149-D227-00000000FC01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264872Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.517{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C48BC467101D1415107948255F3CC4,SHA256=D1AE7959B7FA2448076D5173E7030FC9C3FF843BBA4C8E36212A8C7FF1061465,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.410{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60268-false10.0.1.12-8000- 354300x8000000000000000304140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.105{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60267-false34.104.35.123123.35.104.34.bc.googleusercontent.com80http 354300x8000000000000000304139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.051{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60266-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local47001- 354300x8000000000000000304138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:23.051{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60266-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local47001- 23542300x8000000000000000304137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:26.210{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8667D64F982FE21B371E2CE498467E1B,SHA256=F1154AB3ABE7ED14485EE7678E6547094F8C7512F25217A3D284675114C05C14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264871Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-976E-6149-D327-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264870Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264869Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264868Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264867Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264866Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264865Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264864Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264863Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264862Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264861Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-976E-6149-D327-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264860Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.235{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-976E-6149-D327-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264859Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:26.236{C189DCE5-976E-6149-D327-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000264875Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:25.655{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264874Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:27.532{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898454242D374A89504C500C7176B96C,SHA256=E2EBDE5EB898092ADF529D21153A2AE39B4E91FDF3928D0EC55A21AD4B17011E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:27.225{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB1BB0992151DA0C743F91673CAED16,SHA256=79D490488493EF4233CA56B84416CE133174976CEF816280588594B4234116F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264873Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:27.454{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C55554C7B4A43E6247B17F3C8E89B8B5,SHA256=560905BF891CA639DD7D53058289FBF5F645230A7507D380F4E833494AC94813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264876Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:28.548{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B34652A6FFC61437B1DBB4A356C2655,SHA256=D003472AFCB8702CA25ADD1898045EAFBBA30044C105A172F39C139E9C481483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:28.741{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F0C7105A718F496DABD4B88647979B44,SHA256=CFA2EC55BCB34619D6BE0504FFF090E20F2976AF46F4AFE319C41FF7CFCE6ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:28.257{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F60BD89CB2E3186DFBB127FA9CE60E5,SHA256=51B804FC57351EA83768F396C658873630D0EE205729F623C0B650DC03E1CC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264877Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:29.563{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D3055D8044CCEE4D9874ED49F8D79E,SHA256=43280C730B597AC4836F403ED9FDA639FEFF94302C9FC2EE64597D8A04B7280C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:29.257{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884E89E5527FD36281F85C392E45414D,SHA256=6836FC5113C2CC6A06E50FA3BFFF1B7AA4473E9325C52919BD90B5AE3362F090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264878Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:30.579{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26BE75B9FBCBC73BAF93F8067F268B2,SHA256=9485464BA16B1FDA5AB4FF6A553828E5B8084DD539E245C6F77C2C323D44DB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:30.272{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3152C51C9471A32D51F9773228654FE8,SHA256=5803DB2581F1070445F5B1FF6DF55DBC891AE6D44752C8B66E70EFBCE0BA2D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264879Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:31.595{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA1226EAB7BDBE3AB25227AE3BE877D,SHA256=D22EE131FB86AC4001ECB6A4EE788843040B3FD0D78BF5978D248201C14B0B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:31.882{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_355194072\S3ybLvFx94Hgn9pWLt24ugMD5=867BF8C831D8385CC3FFA006BC864A22,SHA256=B4DDBDCE4F8D5C080328AA34C19CB533F2EEDEC580B5D97DC14F74935E4756B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:31.835{5097E253-96B5-6149-522C-00000000FB01}71446508C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-9773-6149-832C-00000000FB01}5624C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:31.835{5097E253-9773-6149-832C-00000000FB01}5624\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000304154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:31.819{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.423832971065727104C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:27:31.819{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.423832971065727104C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:31.819{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9773-6149-832C-00000000FB01}5624C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:31.819{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-9773-6149-832C-00000000FB01}5624C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:31.819{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-9773-6149-832C-00000000FB01}5624C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:31.819{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.6607571357213926039C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:27:31.819{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.6607571357213926039C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000304147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:31.288{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8666522D71FFABD35C8131C818A858,SHA256=277C5E7F922D5356DB38F1901C38839CDFE58AE6D6BD20091A2B6C17B5BEB039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264884Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:32.845{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43600EC8BC6745C6B9F2C3EF4203853A,SHA256=0AA18ACC51A1151804CD7346974DAB759925E5791DAA726360CE9293F0C8DE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264883Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:32.845{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9615FCE02E8AB7C75A35354933CCF94A,SHA256=9A17D8F77167FD3C1D7F4B2FD136EE6477A67CA02D17C2EC155EF4502E00BEBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264882Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:30.702{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000264881Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:30.482{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-64387-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000264880Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:32.595{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22748B3E2F21E1AF87AA13B422FD369,SHA256=80949C79ABB102F31F18B0F6D80FC4D87BF9EFFB4CCD76A6D743F18D6651F2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:32.294{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F602EE1E7305B1C8B59FFE3FD73E34D,SHA256=10F569EDC3CD81DB54E2325013247599E1E225CD2C8B77486A5B535A154769FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:29.410{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60270-false10.0.1.12-8000- 354300x8000000000000000264886Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:31.294{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51147-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000264885Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:33.610{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F7043EA3C11739053A8F4D45C3AFBF,SHA256=46E6A48C932CBD8FECD31ED5E2FAF03FFE98FAF28F7848AEE2F766EA02ED4B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:33.795{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Module Info Cache~RF51d858c.TMPMD5=EFF28BCEC5992A5EB812A7BF4E86637A,SHA256=C5BA52AFFF2EB06007C7BF88D8B4EB2193BFBA1D472E50389931B246BB7F7AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:33.639{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51d84f0.TMPMD5=116A3297EE846B428AB23018316A473C,SHA256=842B114F596E804AA798EC3B07323D6D57F0E1E013D0CBE92EC4F676AC26553F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:33.561{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF51d84a2.TMPMD5=9DD4EFE746A605EF60B653B056D1217A,SHA256=BBB121BDDF146FBB8AC57DD15579FC5D90F19AD860EC885FE4C286585023C91A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:33.295{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B467FA91EF3A961A0F5BB674ED4DD02,SHA256=C376A1553BFFF6876698F99D571B81DA1EEE2529E9E999F9FFF4C61E7E78EB19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:31.032{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-65124-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000264887Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:34.626{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424148328B0A1C74BF20DFBADF252597,SHA256=3379E28517EC0EE3C6F91B902A3185A0854657F1C0572D1C1E01AAF87FCFAC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:34.608{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2FFC8B984E547805231C91B4FF6BFA3,SHA256=7069E699B25067CD0732AA63D18C5E946E07E8353A2541C9DACDCB72F7EB4826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:34.608{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E11D13145AD4EC8BABB3B2475235033F,SHA256=C711F0E376AB72FB9B72086FCF0CD30DB3811D12AC30865F75E8B577B9C4BFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:34.311{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2605019949D3FBC0187635311334F103,SHA256=EAB2C091597604E8F5E9C912D2A5F98544E3576F79A8BCCA78DF50B06D2E2339,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:31.202{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-966.attackrange.local63058-false142.250.185.99fra16s49-in-f3.1e100.net443https 354300x8000000000000000304165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:31.158{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51147-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000264888Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:35.642{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4298555D7DEF19171828982D85E1747,SHA256=EE4B6EE99D1DC13E77452F5923B66E9B756F3C61DEDCE20400A5F799ED0F27C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:35.342{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0D23E06B02D269AB718153A8968A98,SHA256=E285BAF53DCFA36DAC271AF3DC381F6250EA519917B215EB81BE566C0836C9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264890Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:36.735{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264889Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:36.657{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20194CDE454183502D0016B506AE0905,SHA256=53C0B9A9F863F4CB8322CB8AAA347C28520A4BB75CC7B5ADC910907512F7DE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:36.858{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:36.358{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13072DCD8423D1EE677676DE2EF70F2,SHA256=2BE698AC7AA958931675262E2F8700B2893F528B10B45C40C447C6626018E81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264891Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:37.657{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE1A98F032CAF207C4B058758458DE1,SHA256=B1620CA1AD2BFD8A3AD3865731BC92E0A581DC18F2030FC381C6039513D0DD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:37.389{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92648B60F27267BA63BA951595029506,SHA256=381741AF40691487992C903EF91FF1C2923655D00C5F2D24F93BC2428822881C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:38.592{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2FFC8B984E547805231C91B4FF6BFA3,SHA256=7069E699B25067CD0732AA63D18C5E946E07E8353A2541C9DACDCB72F7EB4826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:38.389{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9ECBD486618B04AFBED0B8F092481F3,SHA256=C56572BB62D1015CD5155B9710332E49E085BA8E3C3F977D78761BBEB6DD618E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264893Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:38.673{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F246498F0695D750B85CC39287904005,SHA256=D16725353BFC789906F8554651494F154896B94AA86292B25A26D5A165167743,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264892Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:36.202{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000304175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:36.152{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60273-false10.0.1.12-8089- 354300x8000000000000000304174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:34.448{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60272-false10.0.1.12-8000- 23542300x8000000000000000264898Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:39.673{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B96E0925872155EE2C50B645B842254,SHA256=70DCD9F72A4C125789CDE8736A1555639A8328CFF7C0F8446BA63A863C941570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:39.405{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ABC2841A96E1D609BE32D95DE3EF0A0,SHA256=CDD5E9FB11E1075132C025B0EBC350C659C38EF9B1A6C4ECBB90A56D630B0D87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:36.904{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60274-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000304178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:36.903{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60274-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 23542300x8000000000000000264897Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:39.298{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE37177528BC53978C79D40B291779C8,SHA256=6AEF7F85A8093018D2F8A51636DC32A4434138AA5969E85AFEF58DAA7434785B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264896Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:39.298{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43600EC8BC6745C6B9F2C3EF4203853A,SHA256=0AA18ACC51A1151804CD7346974DAB759925E5791DAA726360CE9293F0C8DE47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264895Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:36.848{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com7784-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000264894Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:36.467{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264899Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:40.688{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927FB51E56CD7C6503BD6040C0D3DD55,SHA256=B69495C57630C4EB661E2C220F32176E9B531F715B8EF7EA2C4010E5978FF5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:40.420{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA91903D7C25CE93541590C451C73FAF,SHA256=15B386251E34140ADD987AE808FC93825CA317D4CFB68FE9E8126E3A882957A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:40.217{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1293211361\BIT9E76.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:40.170{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1293211361\BIT9E76.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:40.170{5097E253-483D-6148-1600-00000000FB01}12928076C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 23542300x8000000000000000264900Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:41.704{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624CDB1F7C90F7EFD6B14882DE9EC1EA,SHA256=1DBC4EC8050023F7E2E8B485AAC424A1D8140277BCCC119F6F30D7698AA88875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:41.467{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1346A094445B94D477DF2D18AEC1EDC3,SHA256=E6A850C4FBDF42306AE82CA491BAE2DFA95B034780CF937684B2A5FFE466DADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:42.483{5097E253-483B-6148-0B00-00000000FB01}6326104C:\Windows\system32\lsass.exe{5097E253-4839-6148-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000304186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:42.483{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A88692133D63DDF4FBC2A1D7461735,SHA256=4F7BD5EDE396A658A617593D049F89ED3601BB70DE90FCCBD25DBFCDCB1E4DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264901Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:42.704{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37920DF44688A67DCF8FA03518A289D3,SHA256=DAFEE9465F1333D88206723D9DE2DD323091D5570F89E876A36598C2959B55F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:43.514{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51650AE7B60D8CAFB8C1835977C7FE61,SHA256=0A4ECA04B702F89D12EBA6348118182C518FC6F56BD730D397FD0D00E4F6DC75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:43.498{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05BD06D8F437309732AE16168731F68,SHA256=A0601C31993B439F3A192A936BE9BCAF8A59A9E8A8FF1DC9CD85CCEEAABA2E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264902Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:43.720{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660CD7BA138671FB94BD7FB4DF175020,SHA256=1F91E3585774C4B3007259AE7CD6FE5D230D511162051ABB218241CF1A1C2C88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:40.402{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60276-false10.0.1.12-8000- 23542300x8000000000000000264904Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:44.729{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A28634A5B8DEF6EE71092BDCE1AB72,SHA256=0DEB01BD6BD4EFBB6499AD7339D2AD52B7684ACC4D3509F5144BDABD5D32E54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:44.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FA4D2092E6EBCDDB491FD54FC7480D,SHA256=E72B753CF3924D30870855C5A1A193E5D7F850873094C26205DE1D3E47531679,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:41.793{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60277-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000304191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:41.793{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60277-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000264903Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:41.514{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264905Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:45.729{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC455355CC76B2057989287236A5476E,SHA256=6FE832310AFEC69CD81311B0B5DFFEAB4A676D0B1D4E6F5C17EA26DC78F88A9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:45.578{5097E253-483C-6148-0D00-00000000FB01}9045916C:\Windows\system32\svchost.exe{5097E253-95E3-6149-2A2C-00000000FB01}6496C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000304195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:42.254{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om54050-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000304194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:45.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C4A6BA41B36666AC37AFEF5CA25326,SHA256=50130668E506565EB6FE032E04FBB6C81DD0637D0A8ADB492AF89AEBD0914E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:46.516{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C3A729B5FCC4A566DDD99D9F781329,SHA256=1FD360716519C350D107F87ABDB4AAFB2938B592DC8BB6B1C55FD237383B3D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264906Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:46.744{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FFBD5ACB0BE66A8B685C8646550016,SHA256=19FB582899104DDDA1D0378C99C7F428651DD599CCE93526767F2BCA92FA0E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:47.531{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C16D624DDB789070473FC8CA5BC650E,SHA256=96B5F4ECF81CD55F68915E7EC478872979EE3C915A8EEB316AC8765C4FF704C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264907Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:47.760{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEDE1CA8C47D647A621142BB039A0F7,SHA256=52449FBC8825171BD80AC11F0B56A583E0EC5EB3FA95E6214006FB16BF453072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264908Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:48.776{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3CE30D9116CB6CE5D12610284C008E9,SHA256=542E8B79134268F2D15B5D21F052403215A9E7ACFB6124E7D70EC4D70F909279,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:45.403{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60279-false10.0.1.12-8000- 23542300x8000000000000000304211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:48.566{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51dbf3a.TMPMD5=6A4B9698CBE0BEA3555D7A6D4DBF2F7F,SHA256=6B988A390EDDE0FC8E3E452A681D87A4240609C715692EBA8942223EFC249B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:48.535{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FA979F05D3259310B14CC1666C1323,SHA256=922188BA7A221CD1D1CAB0FD1037266A385B670E4D2CD702035A3A967F8B40DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:48.266{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1293211361\gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.29.4_all_acdpqrdkqkija6l7iceaxgclpl7q.crx3MD5=1B091FBE5D7937E50C27FC48D9A7B50E,SHA256=B45FC5F3479DC7B07E8E5822A11785819B7F1C249C9B47DCFFCB28EDBBC2D706,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000304208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:48.250{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\ADMINI~1\AppData\Local\Temp\7848_294001982\LICENSE.txt2021-09-21 08:27:48.250 10341000x8000000000000000304207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:48.219{5097E253-96B5-6149-522C-00000000FB01}71446816C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-9784-6149-842C-00000000FB01}4660C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:48.219{5097E253-9784-6149-842C-00000000FB01}4660\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000304205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:48.203{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.6998184280079334480C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:27:48.203{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.6998184280079334480C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:48.203{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-9784-6149-842C-00000000FB01}4660C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:48.203{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-9784-6149-842C-00000000FB01}4660C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:48.203{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-9784-6149-842C-00000000FB01}4660C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:27:48.203{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.2734941334871962733C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:27:48.203{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.2734941334871962733C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000264910Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:49.791{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023D74A00EB251BF22FF854F331638FF,SHA256=9C2B79434CD0F2F92E638EC199656F3D9517E5A54485B2AAFD27EE50FF980354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:49.566{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12E9349AF44890EEC1D56D439B5E0DE,SHA256=78538EAF7DDB0C3DC7B656F4C6D708E9B6248AE74E924C1B46C874120AE20C0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264909Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:47.570{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000304214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:50.566{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6305145340BB0A56B028FB07C58FF0,SHA256=127AC617B0C7687B0429FDFEAE7DB4B8C86CE3F118D0D16B222AA7DAD223830E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264911Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:50.807{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330D457F2510D22EB3BE9731863FF9AB,SHA256=B73501250B566C0C376B5C3FF58CDA1A8A869831928A0C520F615BE33D7F9D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:51.598{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0681777D8A87203252D2679FA82BA0FE,SHA256=04195CA1F76BF3C57CB9E4CF81C6A9F8D63AD13BB9E36E0C988DF63FBA620562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264912Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:51.807{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB750D8BD3B879FF96EAB7F3987343B,SHA256=141DCFA8C91AE7D1BC64C25BBA889A5BE0562283D8008870CAEBA1EC104ABC58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:51.583{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:51.583{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:51.583{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000304215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:51.535{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\Screens\6.png2021-09-21 08:27:51.535 23542300x8000000000000000264913Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:52.823{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FEE33A7F70832896D5E97058F89B2F,SHA256=E6EC2643B0BE623C6C2A87D71AE248E7B3129A810DE3C1141366C804797A6A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:52.613{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8C62C5BBF224D519FB74FF85CFE8DB,SHA256=A02E1EBC041CD58D6C04DC4B6BEC3B5DE6A045B192DE8E77A7D2A5DD57937CEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:52.504{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9788-6149-852C-00000000FB01}8184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:52.504{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:52.504{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:52.504{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:52.504{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:52.504{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9788-6149-852C-00000000FB01}8184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:52.504{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9788-6149-852C-00000000FB01}8184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:52.505{5097E253-9788-6149-852C-00000000FB01}8184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264914Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:53.838{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EE903BFBE80DDFE52415CD236F95BA,SHA256=0861C2B7AE9B7528858CC4BA408F63A0E3C66B1FA3B07FAF19E9DEE0D81B0919,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304248Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.973{5097E253-9789-6149-872C-00000000FB01}8606120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304247Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.832{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9789-6149-872C-00000000FB01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304246Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.832{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304245Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.832{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304244Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.832{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304243Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.832{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304242Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.832{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9789-6149-872C-00000000FB01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304241Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.832{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9789-6149-872C-00000000FB01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304240Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.709{5097E253-9789-6149-872C-00000000FB01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304239Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.629{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF94A40F8EB5582890E0FF50D3A8B01,SHA256=ECC62066DF5CB5D3D8415A2638FAF0233B9B90F94FF33288FEA122DAD865D360,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304238Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:50.407{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60281-false10.0.1.12-8000- 10341000x8000000000000000304237Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.223{5097E253-9789-6149-862C-00000000FB01}62205808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304236Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.082{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9789-6149-862C-00000000FB01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.082{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.082{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.082{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.082{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.082{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9789-6149-862C-00000000FB01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.082{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9789-6149-862C-00000000FB01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:53.083{5097E253-9789-6149-862C-00000000FB01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:54.691{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648880A3056F23D60A201255D7F73A47,SHA256=A3298D72067177A85D053C15AAC1F6E6EF6D51276203F01D048A8E2D2E7787EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264915Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:54.838{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356A51D643F123C2797A29A9E672FF58,SHA256=1C136D1B6B5FEAE64AFA38EEA66391E0C3FCE482912136E4125F375ECEA69F50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:54.660{5097E253-978A-6149-882C-00000000FB01}68846164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:54.504{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-978A-6149-882C-00000000FB01}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:54.504{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:54.504{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:54.504{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:54.504{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:54.504{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-978A-6149-882C-00000000FB01}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:54.504{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-978A-6149-882C-00000000FB01}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:54.505{5097E253-978A-6149-882C-00000000FB01}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.723{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A34CB20FBAC0498BB6D7A5644D98F90,SHA256=1E776CAF2BB28AB27DA3951861A874D4E936C5ADC59B86B5908ED2B075EC1161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264917Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:55.854{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47515A6C57E221C91EC9521BE0D9E50D,SHA256=2664FE5DCCD641EB1EF41BD1C37B65154F61C6A8761655A0BD4C24E875BB9D78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.676{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-978B-6149-8A2C-00000000FB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.676{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.676{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.676{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.676{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.676{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-978B-6149-8A2C-00000000FB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.676{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-978B-6149-8A2C-00000000FB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.677{5097E253-978B-6149-8A2C-00000000FB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000304267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.395{5097E253-978B-6149-892C-00000000FB01}7646588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.176{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-978B-6149-892C-00000000FB01}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.176{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.176{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.176{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.176{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.176{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-978B-6149-892C-00000000FB01}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.176{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-978B-6149-892C-00000000FB01}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:55.176{5097E253-978B-6149-892C-00000000FB01}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000264916Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:53.523{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000304277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:56.754{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB473835D5AAAFD47ECCDDC7C5AE720,SHA256=F4CC92959BFB933ED4931CBD1EC37B95935AFDB8ECB33A854BF9F1C3F12E7228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264918Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:56.869{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE303C60558334C48F5D3D78BCD11423,SHA256=D64490A4708CD93A6D4ABCE4A8691B6503E3900D2C6D50D803AA21D0C2DDEED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264922Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:57.885{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED45531987E5C5A8E21D764329154A34,SHA256=8ECC6142AF7A0F325720D8FF755FF079F509BB7AA46431AE8E16558F83EBFF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:57.754{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1268A8C0397C656C85C3FB3BEA01F497,SHA256=5BE0D52041A520236B94970DE1094B01E8C7D305B4A4BC4B859E0CBDC62890C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264921Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:57.369{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264920Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:57.369{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264919Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:57.369{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000304282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:56.423{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60284-false10.0.1.12-8000- 354300x8000000000000000304281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:56.032{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60282-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000304280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:56.032{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60282-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000304279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:58.754{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E70CA62B9FC4F269EF29DB952CAA447,SHA256=E6916035BA0B2304568DF7588A6A63EB47486761B63D382103DCA38212EC66C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264923Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:58.901{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE6233E4B3E893DF19CD6D961060C22,SHA256=EE4AEC208DEDF812E6BA67409E39A8688912C5D317EB75ABBB135DD7142027DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:59.801{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F356DDAF089194A4DD0F3D7D14F06CF,SHA256=562AB7ADBDC3368654DE456DDCF30FD1EDB02185B4160A36D00E390FFCEE7258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264924Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:59.901{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D67B7642F322EB8939A036E7A6ED354,SHA256=ADD47B1D6F1A606BA9E07D7E903DBB249222846E648AAF70CB2CB6E782553034,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:59.535{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-978F-6149-8B2C-00000000FB01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:59.535{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:59.535{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:59.535{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:59.535{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:59.535{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-978F-6149-8B2C-00000000FB01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:59.535{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-978F-6149-8B2C-00000000FB01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:27:59.536{5097E253-978F-6149-8B2C-00000000FB01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:00.816{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4ACD562C6DA5F3665AEDF76695845E,SHA256=713ACF1A8407035682EDB21AEC1635C9E0CC7464E7FFC603FDFE7D7F357B48DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264925Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:00.916{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A5A7DA8ED93FCA855CC3AD9D6BABFA,SHA256=785982100FF028C33D3167251BD0E13485C7F7873986FF56D8361CC4EF3AC308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264927Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:01.916{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A820C546C88E680BC933CF707A602E,SHA256=5304FB83DCD11E69E3192413BCD55FDA15E60BC56AA4F539CF966F9BE7998986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:01.832{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB04FED97E27CD3C78E4793FB7D8522,SHA256=F5F25F79EAA3F6825C3FB82CE1B50418AF118FED2C8F6F276DB09F5BFB262409,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264926Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:27:59.554{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000304294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:02.863{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F3F911979ADB74C3F7E4A753116220,SHA256=E614D09E97178F9998D314DFE6FBD3E93F7869C85A7E866CC9F47AC8D09FE166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264928Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:02.932{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F05434C7CE2BAF3FBD20B6D79210EA,SHA256=503BB3731452E7F2C4E40D13F9624FBAE8B3A4585FB573C5568C641E108D37A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:03.895{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9844F4589BDA8154B9A31D548CA0A4,SHA256=680721D051A966E4CE29FA90D39655721D386E2E07D6A12DBD1049EA020397CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264930Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:03.948{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60EFD7A22ABD219DD1C3383F48D1D89,SHA256=589A819820BE5442C51F1A147EF57966DC0293B3C6E300E0DCAB2805100AA285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264929Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:03.369{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CDCB7980A87C9F865B1A5177C3F08CD7,SHA256=1AD1F489B1ADC6FDCBA0DEEFD1497F4FEFE0E6E8F9FDDBDF55B0D54FDC98B2BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:02.469{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60286-false10.0.1.12-8000- 23542300x8000000000000000304299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:04.935{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5461E025F8A4AD32192A6A85234C2C45,SHA256=38ACE86F3596D6640F8F71C7FD8E8A7D71A7D73C927AC50B55C340DEE447D3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264931Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:04.961{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790237A9D4C3D33104D9A084006F38E9,SHA256=31AD39DDFC777941200ED73DDBDFED01E3349FA4E01BEDDCABCD74A9D1B2DE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:04.701{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_2138368019\BITFE1B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:04.654{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_2138368019\BITFE1B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:04.654{5097E253-483D-6148-1600-00000000FB01}12928076C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 23542300x8000000000000000264932Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:05.977{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F654C2838CFC4F5563DFDBD711D51B39,SHA256=5CF34C8E5B29384B2D447BE23927E6C4893709E3D89424E43DB0EF3B6E4E1FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:05.935{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B6AAE5187F70D73CA97A552195AF7C,SHA256=03AF2B93C1D7055E0FF94E36DF0453D58693CC954DCFEA36BCB7D93A0CA6B4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:06.951{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152D18EFA67B4015413F5373BF009E70,SHA256=1BFA1F5740CD1167E341B20206A0D3E2383E0933234EF2E3B932CDBCA69969A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264933Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:06.992{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C39FBB2CD198F96635E7B7989F27A48,SHA256=846D32BF3DDCA659719F865624770F55687D7D24049B24C03779F67BBC0DB324,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264934Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:05.599{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000304303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:08.139{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A7E45CB9E4338C671FD3FCF1B6A5F6,SHA256=606EAC291AB66C6BFB567B9BB4EC84DD83FBB8B9C40AE4186A856621FBB49E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264935Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:08.008{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42257ED1D17C0BED9074897138D2C252,SHA256=DDB55FE9663447F5F2F733FAD94E4D9A91646F5E2FB041266BFF880484D53C66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:07.542{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60287-false10.0.1.12-8000- 23542300x8000000000000000304304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:09.154{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E4172E54E472636C7C57CBF0086750,SHA256=194CBACB9DCF2FA6F4DD6B086F4C7C23228CE4B449F6E4C774380F85B92286B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264936Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:09.008{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E30CA25BC75C8643FD1055BC4853FE,SHA256=30D20BE83F13FF07E383E154ABDD78E2D0249360DEF5D6641AE3C30BC55DDC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:10.170{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BFA2BBBE19AEB57B3A20B8B5736E59,SHA256=2B8EB1AA3E93270F52BD033005E06FF4316C8715E396E0A659D5897B81D91900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264937Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:10.023{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67032D593DDDBDBC5C06A5BB3AFCFA0B,SHA256=20E40A6FCC31DFBA789D01C521D9475D4401EBFD0AB8DBA6E6FDC59F47BA2D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:11.547{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1394MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:11.170{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEDE488C87C38D4C41F1FAED28F1735,SHA256=F7FFDEA86752DA032349E4CDC25589F88C2AF668666D562CD211F81540207D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264938Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:11.039{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF928912035251808CF923607C31391,SHA256=CA7B8DA4F0D46A42485F2BADA81355A96263D34786D253E1215F17786F7BFC6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:12.975{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1632494406\BIT1E85.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:12.958{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1632494406\BIT1E85.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:12.955{5097E253-483D-6148-1600-00000000FB01}12921484C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 23542300x8000000000000000304320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:12.949{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_2138368019\obedbbhbpmojnkanicioggnmelmoomoc_20210914.397503390_all_ENUS500000_ey2l62m44i4d5eyhkueqyabbnm.crx3MD5=593D3F3A5F4FFB79CDCCB690D03C1936,SHA256=637D034F00939B9243A66DEA00B30BE490592E2C7DDEAA421877A518ED751D34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:12.793{5097E253-96B5-6149-522C-00000000FB01}71446508C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-979C-6149-8C2C-00000000FB01}6248C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:12.793{5097E253-979C-6149-8C2C-00000000FB01}6248\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000304317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:12.777{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.2296819788292775870C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:28:12.777{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.2296819788292775870C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:12.777{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-979C-6149-8C2C-00000000FB01}6248C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:12.777{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-979C-6149-8C2C-00000000FB01}6248C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:12.777{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-979C-6149-8C2C-00000000FB01}6248C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:12.777{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.3398173977809796960C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:28:12.777{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.3398173977809796960C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000304310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:12.561{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1395MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:12.185{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0181107850F945153CC13FEF2FB738E1,SHA256=5E16E88C0375CBE1188624CFD11B015B95C65A0058B7EDC15CD92021C69B0E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264939Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:12.039{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1F566916611FFB279A6EBCD1DEF7CB,SHA256=C0630F381013BA56AE5EE0C4C71BAB81A9F2BA63CD27C719BFA0C4F43510094F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:13.233{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51e1f9a.TMPMD5=C8CB18B686F6F2E32B03938B6D6BA56C,SHA256=134DF362A69FB685C9F30C382B29DAC45BDE092824329DCB1B06DC70AE1E839A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:13.186{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA10F8E31F404F840F19A3BD6FF6BC12,SHA256=563610063F4106953F63CA9D334EF242F4FEF9DDFC17D91E31CC85831E898B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264940Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:13.055{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E05375BCDECA8BDDA4CA65C83B6A13,SHA256=A3EA0BDAC18AEF590B59E354531D4CB729953B10B61BC9225E3491291AA08B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:14.218{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DABBE6935D77AD0F0FD009100F84CC,SHA256=77214BE2198ECBE21F55BED12449D3F59FEFF4CE4329E5D5FEC401B82455FC6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264942Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:11.583{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000264941Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:14.070{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE033BAB35B63E380CDAEACAB63794B,SHA256=AB55659C0F3616A425489F730E02FD1DBFA3E26CB4B9DE083AE42ED96235DEFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:13.433{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60289-false10.0.1.12-8000- 23542300x8000000000000000304327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:15.218{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49B0ADC3CF4C885FEB602B538146C36,SHA256=386AA241E7F59C0245D941C77E4F40984A9B7F79245C733672D09D41F9478DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264943Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:15.070{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9587C8FE84434029EDBFE827B21C713D,SHA256=499646B2579C97BC269A970EFD879BAAB43CEAB22903C11A8C5F029001E5C2E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:16.983{5097E253-96B5-6149-522C-00000000FB01}71446816C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-97A0-6149-8D2C-00000000FB01}7500C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:16.983{5097E253-97A0-6149-8D2C-00000000FB01}7500\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000304336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:16.968{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.4385600367856052899C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:28:16.968{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.4385600367856052899C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:16.968{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-97A0-6149-8D2C-00000000FB01}7500C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:16.968{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-97A0-6149-8D2C-00000000FB01}7500C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:16.968{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-97A0-6149-8D2C-00000000FB01}7500C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:16.968{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.7163173571490165147C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:28:16.968{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.7163173571490165147C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000304329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:16.233{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4008B1919ACFDD2C0333991E32293A,SHA256=0398A3699AC6659ADC7700081975F13640CBF0FBA9756084AA6D2D9C949C4B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264944Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:16.086{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4560E8BEFB5359609551AF80E476CB,SHA256=166B71DDF70FF670A3EBC76845E7B035B6023367AC47054D11F2C2CC49070814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:17.257{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE0373D8F55283062CC657C0B5FA8DD,SHA256=AAF8380ECAC5549C5BABF71F19560CC3E1DE803BFF06C0EB6F122D8CFE2D4EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264945Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:17.102{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E38FABDBA4F92A9A97C837FA17A431,SHA256=ADFA0B32D94526114EB3EB58A031762F074421CA4ED71AC153D5F2F46EA7E05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:17.030{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1632494406\ALzUVHP-vRgKCzqwbtGugSEMD5=0BF5369CDA2102F7A1F1FEC9AE6F69FF,SHA256=FD515EC0DC30D25A09641B8B83729234BC50F4511E35CE17D24FD996252EAACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:18.272{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75777BBC2BC6163B5887609100876508,SHA256=5D9746FEDD2F0D3AE5B25B6C4C3C58FB21A64AF5C507AFD783E36C5B6C2E47AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264947Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:18.699{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1386MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264946Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:18.117{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4D6212AED868BB978E663E13E190C3,SHA256=CA2FA16B37C9955140B5366D5ECD2ED20D0C9E981E6A90949F5B29DD472ADD22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:19.288{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB4E2CCB81C05216955D5638788A5F3,SHA256=60F7E720731A85FC540C4D90D73B9A769E500F77BC59B6F07B3A6F639AAF7016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264950Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:19.713{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1387MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264949Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:19.118{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D764E9CA6333A700F3D30F1BDB11F329,SHA256=3C290708E56EFDA484971E77B51DBA00D5D2337E08FC5DFFD590A756D5778CF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000264948Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:16.599{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000304344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:18.503{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60291-false10.0.1.12-8000- 23542300x8000000000000000304343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:20.303{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4C55B6A572AAAAC5A237F2921FA1A6,SHA256=CCB9AAC5C4FB2EC54A9B64626F5C93FC1F18E729881895137566B3592556177D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264979Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.978{C189DCE5-97A4-6149-D527-00000000FC01}30481616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264978Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97A4-6149-D527-00000000FC01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264977Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264976Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264975Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264974Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264973Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264972Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264971Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264970Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264969Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264968Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-97A4-6149-D527-00000000FC01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264967Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97A4-6149-D527-00000000FC01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264966Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.807{C189DCE5-97A4-6149-D527-00000000FC01}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000264965Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.369{C189DCE5-97A4-6149-D427-00000000FC01}27841060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264964Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97A4-6149-D427-00000000FC01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264963Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264962Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264961Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264960Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264959Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264958Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264957Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264956Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264955Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264954Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-97A4-6149-D427-00000000FC01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264953Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97A4-6149-D427-00000000FC01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264952Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.133{C189DCE5-97A4-6149-D427-00000000FC01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264951Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:20.132{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A56F22A042487DD95477BBACC7CBBDE,SHA256=1F830FC50097CD6900EDBBE73492EE1FBF7F1F9568F9D4B0236D08966407780B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:21.319{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C18C3479E0F70CB0E43D8F474ECFBC,SHA256=4246A5A17BDE616C91F7275F614B42A0B9CEE435BE20D2B3754A78E69112407E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000264995Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97A5-6149-D627-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264994Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264993Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264992Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264991Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264990Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264989Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264988Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264987Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264986Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264985Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-97A5-6149-D627-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264984Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.478{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97A5-6149-D627-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264983Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.479{C189DCE5-97A5-6149-D627-00000000FC01}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000264982Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D65BFDE763912BDF3F95A19991F8FF1,SHA256=664633E5EEBA892AEE576E432F3BB0262153CF0559AA1F7E68E4ED94E138537F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264981Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0FF03028BE16BD7DEDE570D1E2D357,SHA256=9FCEEF33F43A4FE2C191AEF724903184572F74471C8C3B9762F58B52F70EFD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000264980Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE37177528BC53978C79D40B291779C8,SHA256=6AEF7F85A8093018D2F8A51636DC32A4434138AA5969E85AFEF58DAA7434785B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:21.163{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1284130353\BIT3E63.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:21.116{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1284130353\BIT3E63.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:21.116{5097E253-483D-6148-1600-00000000FB01}12921484C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 23542300x8000000000000000265010Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.510{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D65BFDE763912BDF3F95A19991F8FF1,SHA256=664633E5EEBA892AEE576E432F3BB0262153CF0559AA1F7E68E4ED94E138537F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265009Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.447{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0DD5FEAC601ECF56324A867EC65A0E,SHA256=AC8E188EE2FFCF99EFF5BC9F446EED58B7A83567FD965D9D5A8FB7C1AC605781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:22.319{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AC6B2B06F3558F48F4BAD64172EB8D,SHA256=FBEC6DBBF37605BE0F91994219190E378146173D10343E382C7659FDEDE11DCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265008Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97A6-6149-D727-00000000FC01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265007Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265006Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265005Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265004Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265003Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265002Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265001Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265000Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264999Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264998Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-97A6-6149-D727-00000000FC01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000264997Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.150{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97A6-6149-D727-00000000FC01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000264996Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:22.151{C189DCE5-97A6-6149-D727-00000000FC01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265011Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:23.447{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD82FEF265851ABA5A215EBB93BEF2D,SHA256=E56978268CCA5F0F4B6C7A17A4A66300EC28808B32F217CFD4865D83671FF268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:23.413{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BE59060210F343B4C7BAB315E39823,SHA256=96249768C8DB7C8D5FC7F32C9FF8E83A5E0D5F9A3CD71C0EF001636E014F3EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:24.658{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9D955B53B5B1312FE87BC118E398B6,SHA256=86C99EBDAC8A983DF5A5E2A39877D569B5CDCDCE2714E2489EBED0874DF71201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265040Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97A8-6149-D927-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265039Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265038Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265037Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265036Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265035Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265034Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265033Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265032Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-97A8-6149-D927-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000265031Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265030Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265029Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.871{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97A8-6149-D927-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265028Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.872{C189DCE5-97A8-6149-D927-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000265027Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.605{C189DCE5-97A8-6149-D827-00000000FC01}29402776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000265026Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.480{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F39CFCE084280FA57F01EFE81F97371,SHA256=98FAA9AE718A71FA7F780D18CD05C8193D4BA5F8DA3676FC7569F3AF1884729F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265025Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97A8-6149-D827-00000000FC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265024Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265023Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265022Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265021Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265020Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265019Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265018Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265017Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265016Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265015Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-97A8-6149-D827-00000000FC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000265014Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.371{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97A8-6149-D827-00000000FC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265013Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:24.372{C189DCE5-97A8-6149-D827-00000000FC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000265012Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:21.679{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000304362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:25.688{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6793156F99BA05E54844213214F5B47E,SHA256=3BF68D62621B89F34F74D7FEEF236A6AFABD34CE6E9150C1A2B956280CA6C2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265043Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:25.512{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3574A65B5CA2CDE81896C4DB872ADE,SHA256=F3D5606C4E6260027A9ABDC2CEE00353F486F303306EA89E7974FDCA0B97FA8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:25.189{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1284130353\lmelglejhemejginpboagddgdfbepgmp_298_all_ZZ_acnrzvykjh7jlxbgx24na6o5sefq.crx3MD5=2E75A6275278C1E17B6BC7F03DEC3B81,SHA256=DAA9B29633D4B520F3AF3BA6F268AE11F826B7472862A92E255FFAAD9860B957,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:25.142{5097E253-96B5-6149-522C-00000000FB01}71446508C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-97A9-6149-8E2C-00000000FB01}3584C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:25.142{5097E253-97A9-6149-8E2C-00000000FB01}3584\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000304358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:25.127{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.10653278749126594942C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:28:25.127{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.10653278749126594942C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:25.127{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-97A9-6149-8E2C-00000000FB01}3584C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:25.127{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-97A9-6149-8E2C-00000000FB01}3584C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:25.127{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-97A9-6149-8E2C-00000000FB01}3584C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:25.127{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.2279407475298517075C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:28:25.127{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.2279407475298517075C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000265042Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:25.402{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABB946F5F315E20B747435211DEAF5F5,SHA256=C9D80515280076D1E7CCC3A614DD7A31E30E540E6A8B375F16CA236A57F01BC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265041Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:25.027{C189DCE5-97A8-6149-D927-00000000FC01}20123604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000304364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:26.704{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F41C6F128A6D700009E93A3A55AF042,SHA256=DC326BB57D92A33D7E9DE1F776F6A471795BB3F9F479E39039A4E401623FFE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265057Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.543{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61051816EB2505AD1A9DD877A4D8B40C,SHA256=F48B910FB07D93452266A64D13DD764457F8D217FC45F6E11A57C625CC934194,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:24.467{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60293-false10.0.1.12-8000- 10341000x8000000000000000265056Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97AA-6149-DA27-00000000FC01}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265055Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265054Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265053Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265052Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265051Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265050Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265049Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265048Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265047Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265046Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-97AA-6149-DA27-00000000FC01}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000265045Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.246{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97AA-6149-DA27-00000000FC01}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265044Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:26.247{C189DCE5-97AA-6149-DA27-00000000FC01}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265059Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:27.559{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5659AE7571747F7987891B28333B103A,SHA256=355C8ABD56A687E455B71338D496F49B798C79D69B3313AF18DDAD0BEAC91424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:27.719{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C155B9D8581495199FC8C42BCE1373,SHA256=EFDD4C4DC6438A94D4434E9FFDA54C5713F83FE06215C872D2D9ADDA846457D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:27.047{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51e558e.TMPMD5=DE5E3A0199F273F0B1AC19B7C817F32A,SHA256=510D31AB3F23644ED28281054705C9CBC6F257EA2AAEFF0C52859380ECEC6066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265058Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:27.387{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0CD30FD21219CCB37B81FB08084BE3C,SHA256=69EFECDC7F74DA3155208C0E2EB5575B7DB802CBCA2B729E5C411908801FEBB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265060Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:28.574{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6050CAEF063C80C81F11F059CEAC9765,SHA256=35C75F5B3C2F7886332828EE7EB5ACE2E30AE051DAC1E977F404F67310D035EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:28.751{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6FF5744BED2B6E10524DED26E98A0E05,SHA256=9B8D50F807B07AD306E00C7205B69FBC32D75A778DDA457450AAF57383AB2CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:28.735{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B97C96E16DEC7D5DFF61FBA9442959,SHA256=0F9BE6C20AFC327EAE46AD2202922CB7405D5797F2336585E5533A18981F842D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:29.766{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33E07F205B7B6A6B350725F8A29DC7A,SHA256=7190EE012FCCA940DFFAF8638FF211ED2CC2F4300D4D5D94002109030BFE6008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265062Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:29.574{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5067E2FF86F73F572195307867D804,SHA256=D10159D4A1138C5C11C2C6F210307336AB459F889AE8F57DE222F04914FE9C7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265061Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:27.618{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000304370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:30.782{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C4B4CED934BB0AC761936C004610B2,SHA256=FE5050BBB40E9B81F727E01366A942AD1411027D9466C40CE64FB4BF54AA7086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265063Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:30.590{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3192B50E0D83B238AE0D65DD005DD0,SHA256=F8DC0AFE4E4BD4850A7A8F4F9C9C9DDBC5ED073F3A3AEC07A450FD9F1A7D4876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265064Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:31.621{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55F17E0C6A83A77B79B14B22C654E0B,SHA256=AC86EA094351045DD847CF540CCEFA08D54733C68BDC4A877C9428A7AF6EB51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:31.797{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680693032D5C330291C4599A8A228A26,SHA256=39368A19E98B991AD737DC57BEDA73E9994108D416A8C96A1F80F36432495AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265065Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:32.637{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5F5F2B8F79BAF88A785AAED546FB44,SHA256=61DB89858A8F27154123D2DF23E50DBB90BC9301C0DDF84CC23CA7755526A167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:32.813{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512DB1B54B3A71C369DEA6A57F126D64,SHA256=6BD68DFE478A5723B2CB97048488322BB6EB54BD4B51346CA79B4FBA6FFB3946,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:30.357{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60295-false10.0.1.12-8000- 354300x8000000000000000304379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:31.081{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.42-54429-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000304378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:33.829{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E600CF110C1EDF42D290FDAC3F263926,SHA256=D4B12BEB97F28B35C8609286756F0F824B0B194E956F6B8EE3BEE8A060FCF23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265066Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:33.652{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C981423CDD78B6BA3A19062948216F9A,SHA256=11B3B17C597F74DB53C81B457847100E88C2E753471762C2CF1948A3F3E346D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:33.626{5097E253-96B7-6149-542C-00000000FB01}5960ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State~RF51e6f40.TMPMD5=157A362A59FD6E1411E6FDAA6D985C36,SHA256=F76B4DBFF90B40B34B5D8341ACCDEFE2D7F5EEA21056FA27A256844726E40112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:33.407{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_87291093\BIT6E3E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:33.360{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_87291093\BIT6E3E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:33.360{5097E253-483D-6148-1600-00000000FB01}12928076C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 23542300x8000000000000000304382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:34.829{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E367E8FDA54FB0657AE9614B4473C98F,SHA256=103261183AA7B0F143D3733589DBA6E2C9D439F7B5B70E7887454AAAB5D2BAB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265068Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:32.728{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265067Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:34.652{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C21D6386CA9BABB9FBEC840E1737632,SHA256=C33484339AEBDAA2DBC60B5203AC661FBE27B13EA9B8B7F59D366381F8A4A4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:34.641{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9231F8174E0B0AD0FF09A451A63C3EE2,SHA256=ED83DFE3B568BCEFFA13C9CC9891EB3AEDC72217C83DD9871F77CD8C915B8CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:34.641{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=729755A7F72924D514BC92F797ADFFE8,SHA256=DE4F0A8F25F2ACFCF23ACDA17709A7D18219EF6098DCBA098844E61836E8F735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265069Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:35.684{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1CE0FFE05CBF9AAF1F0B72DF8F5521,SHA256=D06D79047E5EF748E2A4DE5104E01D4409A9B09AF95DFFC8F1742FAAE766C0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.844{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E597DF7C59DC6B7971720E954E9E9D26,SHA256=92EA4160EA405BCDA320BF05E3FDF2E9F86B6CA4004B749CB52905C9EEB146D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265071Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:36.762{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265070Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:36.730{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810D335FD9D214CF2FEE93EF17C06C70,SHA256=21068F6B487CB530FEA9BE7F90651B8DE2A6F6BE35B3FCE0CBDB5B60554A8429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:36.876{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:36.844{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EDF5F82BB2E0CB1D0216884307E185,SHA256=64DF4FD8BAC859EFFE2A059A094376049E5261284D27EDDDC693276D8FB5502B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:36.172{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=03784A6CF877374FA3D661A47245A345,SHA256=17B494DBCEDB199B37106D8E2C7D3D205AF0EFEAF209D3E97D8A3CB900E87B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:36.157{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-4839-6148-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000304400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:37.846{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D48570C330C065B457DAE1D00DBDB0,SHA256=43481DB0952D60890E172600389B553F40E83038C6CD30BBCCAB3854CABAC4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265072Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:37.746{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DCA779772266EBB1395EC720182A1A,SHA256=E4EB9D0141E45630CBDA80814F3B38BEC4965E2E8F7FB73525C91C53BC891540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:37.800{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51e7f8c.TMPMD5=51FA4E3E787AA4474465AA11D5411BFC,SHA256=5E8BD5FC793276ED04E45C6EFCE5DF5F5AEDBC2D6A14D8330D24ADD0622B3D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:37.751{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_87291093\0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crxMD5=B92BBCFD3C31F799C5863D78154DB555,SHA256=6F6BC93DCD62DC251850D2FF458FDA96083CEB7FBE8EEB11248B8485EF2AEA23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:37.516{5097E253-96B5-6149-522C-00000000FB01}71446816C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-97B5-6149-8F2C-00000000FB01}6584C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:37.516{5097E253-97B5-6149-8F2C-00000000FB01}6584\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000304395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:37.516{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.13926894182302926470C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:28:37.516{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.13926894182302926470C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:37.501{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-97B5-6149-8F2C-00000000FB01}6584C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:37.501{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-97B5-6149-8F2C-00000000FB01}6584C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:37.501{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-97B5-6149-8F2C-00000000FB01}6584C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:37.501{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.12958226075725919260C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:28:37.501{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.12958226075725919260C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x8000000000000000304388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:37.157{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9231F8174E0B0AD0FF09A451A63C3EE2,SHA256=ED83DFE3B568BCEFFA13C9CC9891EB3AEDC72217C83DD9871F77CD8C915B8CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:38.862{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A016F5AFC5880B0546460D364E989D6C,SHA256=8AF718563A6E2F69F8D351B180DDF165630F58A31244DC928408342739E297CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265074Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:38.777{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6CC7EFCFE1051A9573E02C987CF8AC,SHA256=88BE188F20FB9B98908B4EB6A126F510AF8482205E550D38B75EE35C9D82313F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:36.169{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60303-false10.0.1.12-8089- 354300x8000000000000000304411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.513{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60302-false10.0.1.12-8000- 354300x8000000000000000304410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.470{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60301-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000304409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.470{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60301-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000304408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.367{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-966.attackrange.local60300-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000304407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.367{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60300-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000304406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.360{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60299-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000304405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.360{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60299-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000304404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.359{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60298-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000304403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.359{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60298-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000304402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.359{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60297-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000304401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:35.358{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local60297-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000265073Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:36.212{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000304414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:39.878{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC4F30E0EEDCBACB421042FCAFD0E85,SHA256=7EDDF3A456437DDD5AD0E2C099C7BD07A4D986318ED613E5CE8299838FB0C079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265075Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:39.793{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840F8070897060C528781F8C4BDA2CEB,SHA256=794559F5F3810BD18F68D71B8D528B00DC018573DD9D7FCE825D6457B001E00C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265077Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:38.571{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265076Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:40.840{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACC079A05F61C7BBDA77F8F734524BA,SHA256=4158ECEA59EFE1530F433144F87476E81A3082FB4D2DD07CA024418366A4C7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:40.878{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42DEB35EE5317C13EDA951003C32526,SHA256=71AA19AA195759F6B03BE5DB7AEDB32DE755EAE0D25DB96923DFB1BAF5F6B8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265078Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:41.887{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA925747A9F247D262BA9F18C5E501B,SHA256=4E0B548FDEA46710D77B93FD6FE2F44BE4C83DCF37EF38E31563ACEFE5CE215D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:41.878{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C509ECA3594FB9829786920222BC0B68,SHA256=D51FAA2E6BFB3CB5B82DC072B3F22339276858F5AFA5BF96013628422068B065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:42.893{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198FA55B5ADB26D6CE8434ABDADB3D03,SHA256=EC2B362FF942AA537C318FF37F531EAB3E0FF1B31AA101F97BCE4EA0A4D13268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265079Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:42.934{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E847F2BFCCA6463A11F9973E59871C0,SHA256=F3A0E782E277A212A4BD181EABECCB85C0A818ADA6ADD68D5E3F10F64A3389B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:43.909{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED580EC82EA235C9867B373AC4C445C,SHA256=8D62CECE5DBBCB56E819C19B63E4A4886BCC1B39B0BF66BD82CA50133E42E60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265080Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:43.949{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86AF3D8204D30E53B3A6DD1CFE9E288,SHA256=C5B5B89AF3C58EFFBD16F04D3590689145A089D09A84478C1FB638282A70A8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265081Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:44.970{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4371C66ABF016B82799E6CF70305EA,SHA256=2E5AD94104A172F545176AE13B7DD7FB632C7E4D1F1411ABD177F03128152303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:44.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF10C0A69B06FBD4B5D6159F323AC6A1,SHA256=17C2358A06BE5DB7C5B6DCE40F0EC6153BE31F8FC86C42ED439E42EDCB680912,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:41.406{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60305-false10.0.1.12-8000- 23542300x8000000000000000304421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:45.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC89467D8D8FF30CA2F609617289B784,SHA256=0A5731244E20D8388CBFBA9B20EC2A73B065D77CB3F3B233859B92038A071CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:46.975{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E719CEB206189A1FF91EC420EBC551,SHA256=260D13833DD8CE899ACAF0373E89CEA062BAD59C38EB9733EB2652E4DC46DAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265083Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:46.048{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046C6DFDB0FCEC0B9EED40C29887D5F7,SHA256=D7D6ED4EEFE1F1E28D76166CC04281E6E277886DCCF457CE1CBCB7C050B8D996,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265082Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:43.587{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000304423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:47.991{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07039496C554EE6A57DB3D77E343A6CF,SHA256=2212574E8EF3AA1DB2553219D0258FB03BBFD73158671DE1C9D512279D4788B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265084Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:47.063{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37EDE94B940DA75263D1C3FC57D714B,SHA256=FDBA6CD35BA1585A142E773D8FCFE90A1A339C535498A4D3F32CD8F4E29AE314,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:48.569{5097E253-8791-6149-A029-00000000FB01}41846980C:\Windows\System32\RuntimeBroker.exe{5097E253-8792-6149-A229-00000000FB01}4324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000304424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:48.569{5097E253-8791-6149-A029-00000000FB01}41846980C:\Windows\System32\RuntimeBroker.exe{5097E253-8792-6149-A229-00000000FB01}4324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000265085Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:48.110{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEFD3B8779B0A5E0AA18391AB2FC572,SHA256=E58D71E592DEB8874B90D08D2A08D234158EE4BAABA2DB0FA627EF8BDA6CA2B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:46.425{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60307-false10.0.1.12-8000- 23542300x8000000000000000304426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:49.038{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B010F4BD331A93E224FB9BA245961B37,SHA256=ED563391710404A965DE4516A08DED67B83AC1E9EF856CA7EA09AFEBF49FC4B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265086Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:49.126{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ABBC7AD9A83D5523E665E2F94A44A1,SHA256=F3DA3F78221B9CF39C2AB901F65A1998F35DFA9BAF7A0D796331B04096D7A28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265087Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:50.141{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59F3CBD09D50E452213CFF269E2640D,SHA256=02E780F23DE700C575C54949A985906AA090076B9498D1181F58701DD92E469E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:50.381{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_2116092209\BITB087.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:50.335{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_2116092209\BITB087.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:50.335{5097E253-483D-6148-1600-00000000FB01}12921484C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 23542300x8000000000000000304428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:50.038{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BC19E3D3D80BF37D4C02AAF5FBE928,SHA256=B8280374A9FE71051CC311620A90030BAD153F281F5560CB8A240955ED0F5F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265088Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:51.204{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609EFC084704599C1C2F116E5F19BFEC,SHA256=8D1B50FF811EBD196A799AD02110137FB8749D5B8633F4DAA84AFA25DAF771C9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000304433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:51.631{5097E253-961E-6149-3A2C-00000000FB01}7644C:\Users\Administrator\AppData\Roaming\WIN32\WIN32.exeC:\Users\Administrator\AppData\Roaming\Screens\7.png2021-09-21 08:28:51.631 23542300x8000000000000000304432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:51.053{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED79E976B6267D3457178DF8BBE1303,SHA256=B268AB94AE19552E0ED21BC4599010959446D77964E53039F043657128A96023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265090Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:52.329{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31538493A7C569CAF8A89705AEC4CBA,SHA256=5BB4D29DDE55FD6DC8D0D335BF6DBE512E3E4445C20721F65EFAA2225ADE26B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:52.647{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-97C4-6149-902C-00000000FB01}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:52.647{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:52.647{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:52.647{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:52.647{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:52.647{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-97C4-6149-902C-00000000FB01}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:52.647{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-97C4-6149-902C-00000000FB01}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:52.507{5097E253-97C4-6149-902C-00000000FB01}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:52.069{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E58585CA71E16592815FBD3347A5B23,SHA256=07A6E874D2B55F9C59A4E71B496B3B01E957C79FF4CB838E189045DB4E1A47AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265089Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:49.591{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265091Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:53.360{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B26052C472E3547FADB8004E4791C72,SHA256=665E68C0500517420E26E64DD20DDDBFF1067CA77579FF10DE0DC425C99A7EFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.991{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.991{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.991{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.991{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.991{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-97C5-6149-922C-00000000FB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.991{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-97C5-6149-922C-00000000FB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.991{5097E253-97C5-6149-922C-00000000FB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000304489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.444{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.319{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-97C5-6149-912C-00000000FB01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.319{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.319{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.319{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.319{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.319{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-97C5-6149-912C-00000000FB01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.319{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-97C5-6149-912C-00000000FB01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.320{5097E253-97C5-6149-912C-00000000FB01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000304444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:51.488{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60309-false10.0.1.12-8000- 23542300x8000000000000000304443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.069{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7EC9165575B5814BEE543F8D96985B,SHA256=1BF3735988D51DF608EBFF6BDF842B8AC4FE6DF2E78308C4F3D5663A0D49BD50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.829{5097E253-97C6-6149-942C-00000000FB01}3524428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.673{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-97C6-6149-942C-00000000FB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.673{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.673{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.673{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.673{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.673{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-97C6-6149-942C-00000000FB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.673{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-97C6-6149-942C-00000000FB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.674{5097E253-97C6-6149-942C-00000000FB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.436{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=510B53F31603FB3A1C8E66B7B9C10E2B,SHA256=8EF3AB397F23500FB2CCEAD8E617A24E15874B8F0ED4F77B73F82FB50D0961BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.435{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AB09B02411BF3091997275C6469DB22,SHA256=89FA8C16E37F0D03007F2FAAE8E1518C18F7DA99FC03D3EFB9215DBE2708E7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.397{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_2116092209\1.0.0.9_llkgjffcdpffmhiakmfcdcblohccpfmo.crxMD5=95514A311C029203950AAA395BC58C8D,SHA256=2881B30D5044C9959CEA23288D290B7E765565850A38228136DF79022A98498E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.366{5097E253-96B5-6149-522C-00000000FB01}71446508C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-97C6-6149-932C-00000000FB01}1696C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:54.366{5097E253-97C6-6149-932C-00000000FB01}1696\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000304507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:54.350{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.10111862205985972230C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:28:54.350{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.10111862205985972230C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.350{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-97C6-6149-932C-00000000FB01}1696C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.350{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-97C6-6149-932C-00000000FB01}1696C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.350{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-97C6-6149-932C-00000000FB01}1696C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:28:54.350{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.855071327855016287C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:28:54.350{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.855071327855016287C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.163{5097E253-97C5-6149-922C-00000000FB01}47286780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000304499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.085{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96ACEC778D672350B44AB4F44F60C853,SHA256=83056600A76EE4A6E1207440170F0E339C5F6AB900A160FFC574A285032F61BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265092Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:54.391{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144F751F9BB03BF84E7A768F5EBA70D7,SHA256=5F3C8D85F792D2D2EE32689020EC85E4600E0C9BBE0C1DD03C9F54DAA5E1C015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:54.038{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6004143EB49418D575D49DE16C5D04,SHA256=D8EE8FF8301F35535CD4888F03495D449A9D73F3EC00A41ED024EFCED312C17E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:53.991{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-97C5-6149-922C-00000000FB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000265103Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:28:55.907{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000265102Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:28:55.907{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0516eb3d) 13241300x8000000000000000265101Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:28:55.907{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeba-0x55129e05) 13241300x8000000000000000265100Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:28:55.907{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec2-0xb6d70605) 13241300x8000000000000000265099Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:28:55.907{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aecb-0x189b6e05) 13241300x8000000000000000265098Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:28:55.907{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000265097Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:28:55.907{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0516eb3d) 13241300x8000000000000000265096Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:28:55.907{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeba-0x55129e05) 13241300x8000000000000000265095Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:28:55.907{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aec2-0xb6d70605) 13241300x8000000000000000265094Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:28:55.907{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aecb-0x189b6e05) 23542300x8000000000000000265093Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:55.407{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E511434723D8B5C35ED8367DEB8B370F,SHA256=0484E0AE80E174DB8EE86A3445B26A14AE0FEA799A4A381C83E790459FA44F10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:55.486{5097E253-97C7-6149-952C-00000000FB01}40687524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:55.345{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-97C7-6149-952C-00000000FB01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:55.345{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:55.345{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:55.345{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:55.345{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:55.345{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-97C7-6149-952C-00000000FB01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:55.345{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-97C7-6149-952C-00000000FB01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:55.346{5097E253-97C7-6149-952C-00000000FB01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:55.126{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5DF80E2E3F56149DC36D594A9F5D8D,SHA256=8607A4315170CDB5812AB5ACD9FF6DF618E64C1063F4007AF880C78E2515785A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265104Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:56.423{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2778E25D2CE9F0BC5C26EAA0EBB3AFFE,SHA256=F72619CB3F90B2FBD9D55E5AA38F1D2856B8ED62642A6D08AC367418716CF027,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.157{5097E253-97C8-6149-962C-00000000FB01}60762064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000304540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.142{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB99ACCA87F1565E2436536E923DDE8,SHA256=184EC9F7BCB7C223C84331D1A746E61012FFD8BD7B5CAB25B9A2BDFFEE2B4AAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.017{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-97C8-6149-962C-00000000FB01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.017{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.017{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.017{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.017{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.017{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-97C8-6149-962C-00000000FB01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.017{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-97C8-6149-962C-00000000FB01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.018{5097E253-97C8-6149-962C-00000000FB01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265106Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:57.438{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F92F7CFD63C9455D4C28EC470283EBF,SHA256=4B4FE01996C9073BE855C09EF3C4B8DD9B66E8EF47CDB5EAC0986E401BA67E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:57.158{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB93FB76FA85C45348BFDB9B11845271,SHA256=EBDBEE5F08F4F4DECE667C0C02A7257EDDBBF6842BE579008AA6C83250E83267,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265105Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:54.607{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265107Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:58.438{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1425E808268A633E6588717E16CCA1C5,SHA256=4987E2CEFD1E7A2FDC8929EAECC986B248EA3E36DBC294FEEE9DBFF7AF2DF5BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.045{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60310-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000304544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:56.045{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60310-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000304543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:58.189{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802A3B648356BF0E1F6801303B61C0DE,SHA256=A184B07D5286AC5E7E669B66B3948D0561C1F8D923958783A4CD631818DDD601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265108Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:28:59.548{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A2BE9A8A259ADF5FA3C29840ADFDF0,SHA256=AC74413E1B2136817A3D160DC1BBF56938CB74F52B9C837B108167C4CA2FDF07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:59.532{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-97CB-6149-972C-00000000FB01}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:59.532{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:59.532{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:59.532{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-97CB-6149-972C-00000000FB01}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:59.532{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:59.532{5097E253-483C-6148-0C00-00000000FB01}8484908C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:59.532{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-97CB-6149-972C-00000000FB01}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000304549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:59.533{5097E253-97CB-6149-972C-00000000FB01}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000304548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:57.373{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local60312-false10.0.1.12-8000- 354300x8000000000000000304547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:57.154{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63111- 23542300x8000000000000000304546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:59.204{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6792393319564D68EB8FBCEEA5EF00,SHA256=77969598395E95BC0A16D4E309B5CE4AEDDD04AE3939D735D5762CA33669211A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265109Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:00.563{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D3109BC8F1D386BAC50B2E10D6CFAE,SHA256=8DD85269B542C137EAFC0913EB019DC9C10E7488E45CDECCAE8F6739954B7D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:00.266{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A742C8E72117C28EA5E91C5D5D61D8F9,SHA256=DFC3B4B866DA9290E277019B9FE7D73F213FE2381F4B5BBC165D5C55B25AEF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265110Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:01.594{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0B061B8EE7EDBE6E118D6596722244,SHA256=83C4325DC4DCDB37DDE9672BB3EE33F849F90FC99B1FC9CAADF4A8A0C0B27F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:01.470{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D54A5BC839D40FB5ACE7DD0B57815D4,SHA256=5043A9CA60F9ABCE42B57DC40C8624C10EA22FE0CC171898442F5F046753C1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265111Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:02.595{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E0856C73A98CA09B0EC1CBE3800D2A,SHA256=CB53C3AFD95689BC65FE7620EFAA7199E56D9436B747DF5B008B82BD3DA5D1DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:28:58.626{5097E253-96B7-6149-542C-00000000FB01}5960C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local63457-false142.250.186.74fra24s05-in-f10.1e100.net443https 23542300x8000000000000000304560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:02.532{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51ee02a.TMPMD5=D3ADE96007435A601279BCC20D2446BF,SHA256=D0FEA4E29B64A84EED18575D321592DF38DDCC7EC20886C955A48A297E619C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:02.485{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F388BD38A4692B0E5689D98A57B5CD4,SHA256=852208E67A62086067B40C90A6264054CB8B2366E1C23D07DDF845214C053A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:03.485{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391C2D5E414D9F7680E5D06FB3CF76A2,SHA256=51174DCF02ED4C6DC68318FD7C249AD75FC2DBC19F0C03B63D3B81B801D913A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265114Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:03.626{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46EB96C70071CD37F020024F372583A,SHA256=D2FA95DDEA0B74BCD196F983BDBAD4979EFBCD5A5BE5174EBF5B75D4EC284A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265113Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:03.376{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AC2456BD79C65747838FED20B7E36F7D,SHA256=65FA7A5C07CD49157B1B5AE67BB6CA9FA6FF0330A673432C2026746F4E065086,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265112Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:00.592{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265115Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:04.643{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB197701002577F567BB090AAD5038D,SHA256=EDBE301DD6EFB2EC03870F1BF1A6D6929CF4A58B7FABEC5A24F8874D5E80E374,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:01.795{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61275- 23542300x8000000000000000304563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:04.493{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2855D2BE51216D700C0F35ADE6D7E9A7,SHA256=F3B139B3CC095442B2C30BC5020D3C76F8EAA161E6E05B08CAF8A5E0A3156768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265116Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:05.675{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81099E5023E3528C22042045E0FBF371,SHA256=88D3E942F784A7B6382061D7341F372C8F8EDD7C8C69B22AF403F79D7CAF918E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:03.357{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local63459-false10.0.1.12-8000- 23542300x8000000000000000304565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:05.508{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC7450009F5699F7BD772416D73F2AB,SHA256=4332A73DDA232DD063F867774EADF609A6B5F71BD8E8B5B71D20F1C188C55654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265117Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:06.690{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97691C6ECCC0EDAADA3FADFF32326BCA,SHA256=4F1893949F69197C63165BE5A3DA739550E364C3FC07A708E88F6CFDEBD08A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:06.540{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8D2AB6A931AD086382B4676ED3090B,SHA256=908AF423401456BF41EB9A21F8AE3B2EF0B0385EFD599AF962E7C715075B5255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:07.540{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B90E99B494CA768EF28E8918E92A113,SHA256=6C0C4C0F830061C65403C7E933B29C1454F7941E83E1F7A079A3E82C1F268931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265118Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:07.737{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31234AD292BD3794FB4E75DCFCA7CB9,SHA256=36E683C05128E31DC1D93D008A30B248824CD4D522BAA6EF372FEE162C4C5005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:08.571{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C68B7C481B6CCD7B01BB72BB345DE5,SHA256=AF27B9F39077F425CC3F2BCBC3CA64D8FF0C58ACFC9ADB17D4288076001DBA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265119Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:08.768{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB55C1C8292DFFF548E8E6FFDF5B4BA7,SHA256=73ECA4BDA8A9FC07B5AA482289A93F985767C538EDA79847B4FBF2D84B0689C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265121Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:09.784{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3533F2485B1BDCED79A7D97E43E6B58,SHA256=24076786B3A0CE709EA1E8ED7E3A36B989069DFD2C96130C7E5CD598E4499781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:09.586{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B812F7082A227B4AA2FD92DF87AA1060,SHA256=E62F7FA6B8CBA90F230DDA383382E4EAC9698C0792BCAAB58F866403C61A4742,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265120Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:06.531{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265122Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:10.800{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6126350C6263923DDFA3ADDA9B5173FE,SHA256=5EC3F195624CAC2956B17B72E968F0B4F66B6E981E7C422F122A195A2034B7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:10.602{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB15C532CA6447A904D26799523274A,SHA256=DCFCFE3C2680544B9A6B2132332795C0DA5B9C5665318A82145AC782A3CDB39A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:09.349{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local63460-false10.0.1.12-8000- 23542300x8000000000000000304575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:11.602{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAD0F326E5C54BA3F33F05B502BEF14,SHA256=906EE769F2A027AE8582F5DD6266417DBBEA255F686A2B18E0E107AAF58A63DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265123Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:11.815{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0070118C4C1EB84E56C7F3FE623CE41D,SHA256=8C743B975D47D2B6BFF3B8A34043605811BCCC97D648334302648CB15367392D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:11.118{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1409950524\BIT187.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:11.071{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1409950524\BIT187.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:11.071{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 23542300x8000000000000000304577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:12.603{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198131EF0738B9FAF9007C0B8A0B3D17,SHA256=D29EF61F5C3DF7BC7DE9AA7532D9868A9043FC499BF95511682A5ABFBD72A1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265124Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:12.831{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EBAF77CF383CB032E2B90E01D66261,SHA256=081094D006B93E85E2A7C5CD59D5E5399E78CF36D1A185D3EE6C038ABDE56E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265125Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:13.831{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C955D8E5FA097E8242C40601C8BEC02,SHA256=25FA66F29A8193931DFC6AB84D4C16A4FE7C14EC132CF95DB08BCBEFD399FDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:13.613{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02F06A4FD3B666D1F3273431B757CC7,SHA256=9AE09F05805D350138BDB1D9A1DE3B118D2DF63CB0C2531AE31439D02D74C809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:13.090{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1395MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265127Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:14.846{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F052599D87827D7FD1447352E474937F,SHA256=272687F0894143E4EEF80FE86F2F2F44E64F810740E644BEF2D18A344FF44383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:14.630{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88161EADDCA40349752793F859B966D2,SHA256=D0A5B096C407FBFB7E7C3CB330AF02DACE934511063CDC67F724B96EC506A205,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265126Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:12.546{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000304580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:14.098{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1396MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265128Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:15.862{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3601216F73FFFFC85909E3EDC2025802,SHA256=7B11621B471FC102291549DB92BD0E7858A5D3D379361B2B06D6FED7EBA545D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:15.633{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D8D8B38B0B1A0B56D0967A0FCCB5B7,SHA256=FC9870E92B66D9B8E97ED212DA5A605D9E46F9AF4A7C41C4638C346FEB1824FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:15.162{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_1409950524\khaoiebndkojlmppeemjhbpbandiljpe_45_win_adcs3xk2sovipzzwrg2uk2acjzwq.crx3MD5=9E37A84083CA682F3C8E20810A2C1799,SHA256=64379579590FD1B04E11613A876C48875CFA470897DBCC23C854E923602B21F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:15.115{5097E253-96B5-6149-522C-00000000FB01}71446816C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-97DB-6149-982C-00000000FB01}7768C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:29:15.115{5097E253-97DB-6149-982C-00000000FB01}7768\crashpad_7848_IXLZNJCIOMPPPXRIC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x8000000000000000304588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:29:15.099{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.2073978578274820033C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:29:15.099{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7432.2073978578274820033C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x8000000000000000304586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:15.099{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-97DB-6149-982C-00000000FB01}7768C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000304585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:15.099{5097E253-96B5-6149-512C-00000000FB01}78487352C:\Program Files\Google\Chrome\Application\chrome.exe{5097E253-97DB-6149-982C-00000000FB01}7768C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:15.099{5097E253-483D-6148-1300-00000000FB01}9206244C:\Windows\System32\svchost.exe{5097E253-97DB-6149-982C-00000000FB01}7768C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000304583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:29:15.099{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.10096783090098498421C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x8000000000000000304582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:29:15.099{5097E253-96B5-6149-512C-00000000FB01}7848\mojo.7848.7272.10096783090098498421C:\Program Files\Google\Chrome\Application\chrome.exe 354300x8000000000000000304595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:14.503{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local63462-false10.0.1.12-8000- 354300x8000000000000000304594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:14.379{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59077- 23542300x8000000000000000304593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:16.648{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EF3F225DDC273244F32B42E6C81EBB,SHA256=999CBE88BF4A743621714A4812FD8E87C9996B2236A255AF141BA541538E1EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265129Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:16.940{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E48BEA31C49CEC089A747AED777416,SHA256=EE39501718B19FED2B46CEEB66896930EC0DD44F1F94353988E5C3E5C728D3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265130Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:17.956{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0ABB45905F0893CA852A354535EFDB,SHA256=0125DEF8E96EC7D4EDFC46E143B50F1DF4ABC6E53799ACE90760791268DE65D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:17.648{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F704001A6AFAAB6CD1D45FD51EEAC301,SHA256=190334B2C4952011D57F8ED336D922F58933390847C5F4BD8AD9671D411C362E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:18.664{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C1888A503202FE4994C5E9F84DE342,SHA256=E54945FD375718CFBDB2E10E2B493E9FFE4C896730421249B76EB9A719831817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:19.664{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76018160E240B44C608C6DF507FE114,SHA256=4DE9B7FFEE21AE21121A1FEFE56ED5C8E7C674B3EBF95196170CB7375917DF06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265132Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:17.687{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265131Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:19.003{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80853751D11EE204BD47348BE6E60119,SHA256=8BA1F66766C6FD180B18BDBB77CFAB635EF19B54DDEFE12FB1643525979C0225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:19.383{5097E253-96B5-6149-512C-00000000FB01}7848ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF51f21f6.TMPMD5=D05A922C7689FFD273817058AA56A1A8,SHA256=511EB2518C17F29E611502859D41ABC151A92EAB003112D44EE6978DA3D9945D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:20.664{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA24BF82FED5A50ED26EF1B414DE1405,SHA256=E5D362742070541866A0DFA9909ABA7BB3D2D768399780AE6D8113CDBCE9FCD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265161Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97E0-6149-DC27-00000000FC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265160Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265159Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265158Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265157Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265156Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265155Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265154Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265153Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265152Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265151Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-97E0-6149-DC27-00000000FC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000265150Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.803{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97E0-6149-DC27-00000000FC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265149Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.804{C189DCE5-97E0-6149-DC27-00000000FC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000265148Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.319{C189DCE5-97E0-6149-DB27-00000000FC01}1920692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000265147Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.243{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1387MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265146Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97E0-6149-DB27-00000000FC01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265145Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265144Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265143Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265142Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265141Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265140Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265139Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265138Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265137Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265136Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-97E0-6149-DB27-00000000FC01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000265135Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.130{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97E0-6149-DB27-00000000FC01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265134Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.131{C189DCE5-97E0-6149-DB27-00000000FC01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265133Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:20.005{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FAFA70E110231015707C894DDB656E,SHA256=47E6C159AD3A8A94A8548386028DA27532242BE45D19DB4895C9A6603E9C6694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:21.679{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DF3959C14550016786948F5D442F07,SHA256=50EE0F870A00C921C1DD57BFCF91DD8A375A0B0BFDF28D996D611B4A958EF5D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265178Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97E1-6149-DD27-00000000FC01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265177Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265176Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265175Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265174Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265173Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265172Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265171Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265170Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265169Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265168Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-97E1-6149-DD27-00000000FC01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000265167Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97E1-6149-DD27-00000000FC01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265166Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.445{C189DCE5-97E1-6149-DD27-00000000FC01}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265165Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0783825650B747DCC4EE4B493BCCD52F,SHA256=E1AB42C685328CE304E014D99C0DA2D72FE0F6C65665B4B65ECE858EDFAE0555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265164Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7739BE040072C62A8CEF5E844E1F956A,SHA256=7B9F01604B46012B87B2FEEDDDA5DE3AF6091ACC1D6594C7CFA4317C30AD1553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265163Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.443{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAA05CAF24D9CA2510C018A42248903,SHA256=DFF90944BA3D4658654A441AAE96A8ABE7B905A4B6DCCCD554A37678B21C74D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265162Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:21.242{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1388MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:20.427{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local63464-false10.0.1.12-8000- 23542300x8000000000000000304602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:22.711{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2E4F8E34A048CA4E6852AD48C16F58,SHA256=48727199B024102E9B0988D31E31255B041AAD1BE0BE4CFCE1463076C3BAA5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265194Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.584{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0783825650B747DCC4EE4B493BCCD52F,SHA256=E1AB42C685328CE304E014D99C0DA2D72FE0F6C65665B4B65ECE858EDFAE0555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265193Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.584{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57435833111B5A6C80426E7A6E0DFE3F,SHA256=D03D8868927BC53291A79B32D211493B8860FB3A25E0695740BE02C14457C18F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265192Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.303{C189DCE5-97E2-6149-DE27-00000000FC01}1904748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265191Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97E2-6149-DE27-00000000FC01}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265190Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265189Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265188Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265187Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265186Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265185Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265184Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265183Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265182Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265181Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-97E2-6149-DE27-00000000FC01}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000265180Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.116{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97E2-6149-DE27-00000000FC01}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265179Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:22.117{C189DCE5-97E2-6149-DE27-00000000FC01}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000304604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:23.711{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BFBE4521E0D6394F512D434AEDFEA3,SHA256=98B795C2DD041F6137A79ED8138E735EF9542DE685133CF638F20BC1DEF0055C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265195Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:23.319{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6F6F3BD3FF8AB95CC3B4C0718D6EC9,SHA256=DED7625E641D2A80A2ED9A8E8A3566FAA2C8A84497B92F7E21D3F8E591615D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:24.716{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E03AD0516395360C83520F9B9BBD8B,SHA256=AE81558CCC1ED6B35AC6DF00E9E45563A4232F6110CC33591008D8DBD60CCC2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265223Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97E4-6149-E027-00000000FC01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265222Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265221Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265220Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265219Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265218Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265217Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265216Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265215Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265214Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265213Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-97E4-6149-E027-00000000FC01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000265212Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.867{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97E4-6149-E027-00000000FC01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265211Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.868{C189DCE5-97E4-6149-E027-00000000FC01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000265210Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.586{C189DCE5-97E4-6149-DF27-00000000FC01}39323652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265209Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97E4-6149-DF27-00000000FC01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265208Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265207Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265206Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265205Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265204Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265203Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265202Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265201Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265200Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-97E4-6149-DF27-00000000FC01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000265199Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265198Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.367{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97E4-6149-DF27-00000000FC01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265197Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.368{C189DCE5-97E4-6149-DF27-00000000FC01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000265196Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:24.351{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EFE38C90FD12AD4ECB6D304CBEF3CB5,SHA256=F600299CE65CB5AE560BA75D2725E49CF8D54420CD5B89B240268C691844321A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:25.732{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB72F9D2903D8E91B0E1519B6F3C1B5,SHA256=04C4E1BE65C2018C9BF3B90E1B300B355C098CE824132EF36ED02415944F0E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265226Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:25.492{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=650267B2F98AF5CDDDED2C75F5A2F238,SHA256=19951BD68AA4125C369279501439A7850DAD6E897D4B758D79C671B744290410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265225Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:25.492{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FB4C7ADAFD62FA00C067E137BB777A,SHA256=D3C8F8D0AFF47A6AFF15B8C721D98F682A80CCBC01E49EBFC8FE982D141C1691,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265224Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:25.054{C189DCE5-97E4-6149-E027-00000000FC01}3088920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000304607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:26.747{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AAFDC97D2D3AE09E06EE6595B7320B,SHA256=359B73834F20886C7B769DE63CD643D38A6EA9D8DEB96D00F89AD4830BE84CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265241Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.508{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA0A562F5DF9B642B8E52895CFEE633,SHA256=CC770B36771D6F87E72306DA00F1BED14452EDE3B98FE107556C21BCD6F8A133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000265240Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-97E6-6149-E127-00000000FC01}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265239Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265238Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265237Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265236Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265235Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265234Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265233Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265232Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265231Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265230Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-97E6-6149-E127-00000000FC01}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000265229Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-97E6-6149-E127-00000000FC01}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265228Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:26.258{C189DCE5-97E6-6149-E127-00000000FC01}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000265227Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:23.519{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000304608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:27.747{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4C379CB443BA077C4AD4AB94BEBA00,SHA256=366D5FA84E2CDC5A859E0B589835ABC02D389F1BCAF0378AA8364B7F8E88B4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265243Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:27.539{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BCBCDA4700ADC5EEF4EA6DB306C986,SHA256=5E21AEC55502753CAB0660FAD00E5F9F70E4024EF75DB8C02A690E7B24D001AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265242Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:27.429{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FB2BE4941CEC73915609A777A385D20,SHA256=DD4F078438F0D19F83594D2E1390ABE49DD84BD30827105DA8CFCC7BAA3D7F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:28.763{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E21BC67A05F307F5B67E9EC46FEE62,SHA256=5433B3931A649CF742CCF734799924B4B5407F907F905A032C24B7791CD8DB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:28.763{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7594AA46A670D1551124D544F16B5CA7,SHA256=C79080232062BD54EFA84DFF4ECB287EC8F1AEB50EDC8D0F0AF18C352AF36D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265244Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:28.570{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF56D951123F1A40CE00CB9980F283FC,SHA256=AC2C5FF6CDF5A058892C92522D1B33C37CF63E0447BDE479AF894DE71A5C5361,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:25.479{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local63466-false10.0.1.12-8000- 23542300x8000000000000000304612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:29.935{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D745F226AA8044B6F20C85E73E43E35,SHA256=18ECDA63CD4A1669D4645D63C1638E9FCF0AF9C7B432BEA9FB7E47851E3A5D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265245Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:29.617{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902D1561CB6D56CEF784D0D37235F0F7,SHA256=B51B0D77A90B6FC1D64CD211B431475B78ACF27A054CD75965EE601EEE1F7247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:30.966{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D71059B0D5BF6DAE9044CCEF0C08D65,SHA256=43C1F864FE046AB9213969EDEE9036C254CE17AACD6B9E4F2CE57A1636816F66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265247Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:28.598{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000265246Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:30.664{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00EAC855E96327C0B2DFE1FEC2F537A,SHA256=491BEFE9D174971EC363938CDCB268098D54CB59C4D9A69267EEB5CD051A56DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:31.966{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E51F1C05D621BF5EA0B268500B0025,SHA256=D356D70011155CBFD2BD91929386F6C8A64747C9934B107A7F3A35635F110BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265248Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:31.742{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8887536DACD7FF89FB7056D4A8BAB97,SHA256=1C13ED5EC8D8ED1E78259B3F5B0E2C2705524BABCB6C89DB93BEB7EFE6C3E6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265249Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:32.758{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70247E6BDC0406DA05F6E67E3D49D0B1,SHA256=C453A60040B507B9AF6B1EEFBB3E886241657A36705FF475EC213EA7C90633EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265250Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:33.804{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0940A8609FB143D5FCE52A35C7B708E4,SHA256=7D2D7C31718C597A662796ECB4A37479A1575280F04285BF7AFFA38CF7B3D5D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000304616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:30.541{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local63468-false10.0.1.12-8000- 23542300x8000000000000000304615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:32.997{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9080D0E1AD6B3C4620561C9AB4C2D536,SHA256=E0F64C63DEF2889C4EBEAB318E7F0E3B7B6E2FDF044D4C546DAB65834DA0460D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265251Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:34.836{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A228BDB221868427E85069355F1F0E,SHA256=2647896D57C7E02EA03FBA5CE685AEC67C5B6D76F7265831EA43EDFA90502D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:34.029{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC57B74E19D50211464C515730E3D33,SHA256=A346550817D98F44CAE844443E651ECB7E8D6E4991682233125A2E8F15A2B47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265252Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:35.851{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D424C6EF916C8667ACE156006D6D9C,SHA256=37C911806735F06EA551125DE4D0B57F783F1483E32E16597B44A5140A7D61D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:35.982{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_540378592\BIT62A3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:35.935{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\chrome_BITS_7848_540378592\BIT62A3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000304619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:35.935{5097E253-483D-6148-1600-00000000FB01}12921484C:\Windows\system32\svchost.exe{5097E253-96B5-6149-512C-00000000FB01}7848C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 23542300x8000000000000000304618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:35.029{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970168595D40F6B8DB44AA59F945D83D,SHA256=F7C107ACB75933FF478246AB5B75BF8FBC24B18F85F002E4933F788EC977EE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265255Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:36.867{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0BEC93237B0A7093AF369B9D71D9C6,SHA256=C7D15C75C832F958A477C89BB3E4742732819229910E5CDB23F085214A27384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:36.903{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000304622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:36.029{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2AF371EF5BCEC3F6EAACF764B7D484,SHA256=175DEDE92C0961DF9A2B974BA5624E4F38909076896A7EF70AAD5371AFED6CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000265254Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:36.764{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000265253Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:29:33.660{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local51171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000304624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:29:37.044{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372F028ACEAE34ADA1125D5107F4E43C,SHA256=51E71030778392A22604C050CBDD86C668CA55B9CF4D832C927CC19F137C2D5D,IMPHASH=00000000000000000000000000000000falsetrue